OpenSSL RSA exponent 3 security bypass (OpensslRsaSecurityBypass)

Vuln ID: 28755
Risk Level: Medium risk vulnerability  Medium OpensslRsaSecurityBypass
Platforms: Sun Solaris: x86, Oracle WebLogic Server, HP HP-UX: 11.11, Sun JRE: 1.3.1, Cisco IDS, OpenPKG OpenPKG: CURRENT, Sun ONE Web Server: 6.0, Gentoo Linux, SuSE Linux Enterprise Server: 8, Novell UnitedLinux: 1.0, NetBSD NetBSD: CURRENT, SuSE SuSE Linux OpenExchange Server: 4, Turbolinux Turbolinux: 8 Server, Turbolinux Turbolinux: 7 Server, OpenSSL OpenSSL: 0.9.7a, OpenSSL OpenSSL: 0.9.7, RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, HP HP-UX: 11.23, Cisco Application and Content Networking Software, Cisco CiscoWorks Common Management Foundation, Cisco SIP Proxy Server, SUSE SuSE Linux: 9.0, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, Turbolinux Turbolinux: 10 Desktop, SuSE SuSE Linux School Server, SuSE SuSE Linux Standard Server: 8, Sun Solaris: 8 SPARC, Sun Solaris: 9 x86, OpenSSL OpenSSL: 0.9.7b, OpenSSL OpenSSL: 0.9.7c, Cisco Access Registrar, NetBSD NetBSD: 2.0, RedHat Enterprise Linux: 3 Desktop, Sun JSSE: 1.0.3, Sun JSSE: 1.0.3_01, Sun JSSE: 1.0.3_02, SuSE SuSE SLES: 9, SUSE SuSE Linux: 9.2, RedHat Enterprise Linux: AS, Sun JRE: 1.4.2, Sun JRE: 1.5.0, Turbolinux Turbolinux: 10 Server, Sun SDK: 1.4.2, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Sun Java System Application Server: 7.0 2004Q2 Standard, Novell Linux Desktop: 9, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, Apple Mac OS X: 10.3.9, Apple Mac OS X Server: 10.3.9, Canonical Ubuntu: 5.04, Debian Debian Linux: 3.1, Novell Open Enterprise: Server, MandrakeSoft Mandrake Multi Network Firewall: 2.0, Sun Solaris: 10 SPARC, Sun Solaris: 10 x86, OpenSSL OpenSSL: 0.9.8a, Canonical Ubuntu: 5.10, SUSE SuSE Linux: 10.0, RedHat Linux Advanced Workstation: 2.1 Itanium, MandrakeSoft Mandrake Linux: 2006, Sun JRE: 1.5.0 Update3, Cisco GSS 4480 Global Site Selector, Cisco GSS 4490 Global Site Selector, Cisco GSS 4491 Global Site Selector, Sun Java System Application Server: 7.0 2004Q2 Enterprise, Cisco Secure Access Control Server, NetBSD NetBSD: 2.1, NetBSD NetBSD: 2.0.3, OpenPKG OpenPKG: 2.5, NetBSD NetBSD: 3.0, RedHat RHEL Extras: 3, RedHat RHEL Extras: 4, NetBSD NetBSD: 2.0.1, NetBSD NetBSD: 2.0.2, Canonical Ubuntu: 6.06 LTS, OpenPKG OpenPKG: 2-STABLE, Sun Java System Web Server: 6.1, Cisco CallManager Express, SUSE SuSE Linux: 10.1, Novell SLE SDK: 10, SuSE SuSE SLES: 10, RedHat Enterprise Linux: ES, RedHat Enterprise Linux: WS, MandrakeSoft Mandrake Linux: 2006 X86_64, Ingate Ingate Firewall: Current version, Ingate Ingate SIParator: Current version, Mozilla Firefox: 1.5.0.7, Mozilla Thunderbird: 1.5.0.7, Mozilla SeaMonkey: 1.0.5, Mozilla Network Security Services: 3.11.3, Sun Secure Global Desktop: 4.2 Enterprise, Opera Opera Browser: prior to 9.02, MandrakeSoft Mandrake Linux: 2007, MandrakeSoft Mandrake Linux: 2007 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, Sun Java System Web Proxy Server: 3.6, Sun Java System Application Server: 8.1 2005Q1, Cisco GSS 4492 Global Site Selector, Cisco MDS 9500, Cisco ONS 15454, Cisco Unified Presence Server, Cisco Content Services Switch 11500: 7.50, Cisco Content Services Switch 11500: 8.10, Cisco Wireless LAN Controller: 4.0, Cisco Application Control Engine Module: 1.1, Cisco Wide Area File Services Software, Cisco Wide Area Application Services, Cisco CiscoWorks Common Services, SuSE SuSE Linux Retail Solution: 8, SuSE SuSE SLED: 10, Apple Mac OS X Server: 10.4.8, Apple Mac OS X: 10.4.8, NetBSD NetBSD: 4.0 beta, NetBSD NetBSD: 3.0.1, Cisco CS-MARS: 4.2.2, Hitachi uCosminexus Application Server Solaris: 07-00, Hitachi uCosminexus Application Server AIX: 07-00, Hitachi uCosminexus Application Server AIX: 06-70 -06-70-/B, Hitachi uCosminexus Service Platform Linux: 07-00, Novell Linux POS: 9, Cisco Security Agent: 5.1, Turbolinux Turbolinux: FUJI, Turbolinux Turbolinux: Personal, Turbolinux Turbolinux: Home, Turbolinux Turbolinux: Multimedia, Turbolinux Turbolinux: 10 F..., Turbolinux Turbolinux Appliance Server: 2.0, Turbolinux Turbolinux: 10 Server x64 Ed, Turbolinux Turbolinux Appliance Server: 1.0 Hosting Ed, Turbolinux Turbolinux Appliance Server: 1.0 Workgroup Ed, OpenPKG OpenPKG Enterprise: E1.0-SOLID, Hitachi uCosminexus Application Server Linux: 07-10, Hitachi uCosminexus Application Server AIX: 07-10, Hitachi uCosminexus Application Server HP-UX IPF: 07-00, Hitachi uCosminexus Service Platform Linux: 07-10, Hitachi uCosminexus Service Platform AIX: 07-10, Cisco Unified CallManager: 4.1, Novell Security Services: 2.0.4, Sun JRE: 1.5.0 Update7, Sun JRE: 1.5.0 Update8, Sun SDK: 1.4.2_11, Sun SDK: 1.4.2_12, VMware Workstation: 6.0, Hitachi uCosminexus Application Server for Win: 07-00 to 07-00-03, Hitachi uCosminexus Application Server for Win: 07-10 to 07-10-01, Hitachi uCosminexus Application Server for Win: 07-20 - 07-20-01, Hitachi uCosminexus Application Server Linux: 07-00 to 07-00-01, Hitachi uCosminexus Service Platform Win: 07-00 to 07-00-03, Hitachi uCosminexus Service Platform Win: 07-10 to 07-10-01, Hitachi uCosminexus Service Platform Win: 07-20 - 07-20-01, Hitachi uCosminexus Developer Win: 07-00 to 07-00-03 Professional, Hitachi uCosminexus Developer Win: 07-10 to 07-10-01 Professional, Hitachi uCosminexus Developer Win: 07-20 - 07-20-01 Professional, Hitachi uCosminexus Developer Win: 07-00 to 07-00-03 Standard, Hitachi uCosminexus Developer Win: 07-10 to 07-10-01 Standard, Hitachi uCosminexus Developer Win: 07-20 - 07-20-01 Standard, Hitachi uCosminexus Service Architect Win: 07-00 to 07-00-03, Hitachi uCosminexus Service Architect Win: 07-10 to 07-10-01, Hitachi uCosminexus Service Architect Win: 07-20 - 07-20-01, Hitachi uCosminexus Application Server for HP-UX: 06-70 to 06-70-/C, Hitachi uCosminexus Application Server for HP-UX: 06-72 to 06-72-/A, Hitachi Cosminexus App Server 6 EE Linux: 06-50 to 06-50-/C, Hitachi Cosminexus App Server 6 SE Linux: 06-50 to 06-50-/C, Hitachi Cosminexus App Server 6 SE Linux: 06-51 to 06-51-/D, Hitachi Cosminexus App Server 6 EE Linux: 06-51 to 06-51-/D, Hitachi Cosminexus App Server 6 SE HP-UX: 06-50 - 06-50-/E, Hitachi Cosminexus App Server 6 EE HP-UX: 06-50 - 06-50-/E, Hitachi Cosminexus App Server 6 SE Solaris: 06-50 to 06-50-/C, Hitachi Cosminexus App Server 6 EE Solaris: 06-50 to 06-50-/C, Hitachi uCosminexus Application Serv Std HP-UX: 07-10, Hitachi uCosminexus Application Serv Ent Linux: 07-00 to 07-00-01, Hitachi uCosminexus Application Serv Ent Linux: 07-10, Hitachi uCosminexus Application Serv Ent AIX: 07-00, Hitachi uCosminexus Application Serv Ent AIX: 07-10, Hitachi uCosminexus Application Serv Ent Solaris: 07-00, Hitachi uCosminexus Application Serv Ent HP-UX: 07-10, Hitachi uCosminexus Appl Serv Ent HP-UX IPF: 07-00, Hitachi uCosminexus Appl Serv Ent HP-UX IPF: 07-10, RedHat Network Satellite Server: 5.0, Hitachi Hitachi Web Server for HP-UX 10.20: 01-00 to 01-02-/D, Hitachi Hitachi Web Server for HP-UX 11.00: 01-00 to 01-02-/D, Hitachi Hitachi Web Server for HP-UX 11.00: 02-00 to 02-04-/B, Hitachi Hitachi Web Server for HP-UX (IPF): 02-02 to 02-04-/B, Hitachi Hitachi Web Server for Windows: 02-00 to 02-04-/D, Hitachi Hitachi Web Server for Windows: 03-00 to 03-00-01, Hitachi Hitachi Web Server for Solaris: 01-00 to 01-02-/D, Hitachi Hitachi Web Server for Solaris: 02-00 to 02-04-/B, Hitachi Hitachi Web Server for Solaris: 03-00, Hitachi Hitachi Web Server for Linux: 01-01 to 01-01-/D, Hitachi Hitachi Web Server for Linux: 02-00 to 02-00-/A, Hitachi Hitachi Web Server for Linux: 02-02 to 02-06-/A, Hitachi Hitachi Web Server for Turbolinux: 01-01, Hitachi Hitachi Web Server for Turbolinux: 02-00, Hitachi Hitachi Web Server for AIX: 01-01 to 01-02-/E, Hitachi Hitachi Web Server for AIX: 02-00 to 02-04-/B, Hitachi Hitachi Web Server for AIX: 03-00, Hitachi Hitachi Web Server for Linux: 03-00, Hitachi uCosminexus Appl Serv Ent HP-UX IPF: 07-10-01, Hitachi uCosminexus Appl Srv Ent Windows: 07-00 to 07-00-03, Hitachi uCosminexus Appl Srv Ent Windows: 07-10 to 07-10-01, Hitachi uCosminexus Appl Srv Ent Windows: 07-20 to 07-20-01, Hitachi uCosminexus Appl Srv Ent Windows: 07-50 to 07-50-01, Hitachi uCosminexus Application Serv Ent Solaris: 07-10, Hitachi uCosminexus Application Serv Ent Linux: 07-50, Hitachi uCosminexus Application Serv Ent AIX: 07-50, Hitachi uCosminexus Application Server HP-UX IPF: 07-10 to 07-10-01, Hitachi uCosminexus Application Server for Win: 07-50 to 07-50-01, Hitachi uCosminexus Application Server Solaris: 07-10, Hitachi uCosminexus Application Server Linux: 07-50, Hitachi uCosminexus Application Server AIX: 07-50, Hitachi uCosminexus Service Platform AIX: 07-50, Hitachi uCosminexus Service Platform Win: 07-50 to 07-50-01, Hitachi uCosminexus Service Platform Linux: 07-50, Hitachi uCosminexus Developer Win: 07-50 to 07-50-01 Professional, Hitachi uCosminexus Developer Win: 07-50 to 07-50-01 Standard, Hitachi uCosminexus Service Architect Win: 07-50 to 07-50-01, Hitachi uCosminexus Application Serv Ent HP-UX: 06-70 to 06-70-/C, Hitachi uCosminexus Application SrvEnt HP-UX IPF: 06-70 to 06-70-/F, Hitachi uCosminexus Appl Srv Ent Windows: 06-70 to 06-70-/D, Hitachi uCosminexus Appl Srv Ent Windows: 06-71 to 06-71-/D, Hitachi uCosminexus Application Serv Ent Solaris: 06-70 to 06-70-/D, Hitachi uCosminexus Application Serv Ent Linux: 06-70 to 06-70-/D, Hitachi uCosminexus Application Serv Ent Linux: 06-71 to 06-71-/D, Hitachi uCosminexus Application Serv Ent AIX: 06-70 to 06-70-/B, Hitachi uCosminexus Application Server HP-UX IPF: 06-70 to 06-70-/K, Hitachi uCosminexus Application Server for Win: 06-70 to 06-70-/D, Hitachi uCosminexus Application Server for Win: 06-71 to 06-71-/D, Hitachi uCosminexus Application Server Solaris: 06-70 to 06-70-/D, Hitachi uCosminexus Application Server Linux: 06-70 to 06-70-/D, Hitachi uCosminexus Application Server Linux: 06-71 to 06-71-/D, Hitachi uCosminexus Developer Win: 06-70 to 06-70-/D Professional, Hitachi uCosminexus Developer Win: 06-71 to 06-71-/D Professional, Hitachi uCosminexus Developer Win: 06-70 to 06-70-/D Standard, Hitachi uCosminexus Developer Win: 06-71 to 06-71-/D Standard, Hitachi uCosminexus Developer Win: 06-70 to 06-70-/D Light, Hitachi uCosminexus Developer Win: 06-71 to 06-71-/D Light, Hitachi Cosminexus App Server 6 SE HP-UX: 06-00 to 06-00-/D, Hitachi Cosminexus App Server 6 EE HP-UX: 06-00 to 06-00-/D, Hitachi Cosminexus App Server 6 EE HP-UX IPF: 06-00 to 06-00-/E, Hitachi Cosminexus App Server 6 EE HP-UX IPF: 06-50 to 06-50-/E, Hitachi Cosminexus App Server 6 SE HP-UX IPF: 06-00 to 06-00-/E, Hitachi Cosminexus App Server 6 SE HP-UX IPF: 06-50 to 06-50-/E, Hitachi Cosminexus App Server 6 EE Win: 06-00 to 06-00-/H, Hitachi Cosminexus App Server 6 EE Win: 06-02 to 06-02-/G, Hitachi Cosminexus App Server 6 EE Win: 06-50 to 06-50-/F, Hitachi Cosminexus App Server 6 for Win: 06-51 to 06-51-/J Enterprise, Hitachi Cosminexus App Server 6 SE Win: 06-00 to 06-00-/H, Hitachi Cosminexus App Server 6 SE Win: 06-02 to 06-02-/G, Hitachi Cosminexus App Server 6 SE Win: 06-50 to 06-50-/F, Hitachi Cosminexus App Server 6 SE Win: 06-51 to 06-51-/J, Hitachi Cosminexus App Server 6 SE Solaris: 06-00 to 06-00-/A, Hitachi Cosminexus App Server 6 EE Solaris: 06-00 to 06-00-/A, Hitachi Cosminexus App Server 6 EE Linux: 06-00 to 06-00-/D, Hitachi Cosminexus App Server 6 EE Linux: 06-02 to 06-02-/F, Hitachi Cosminexus App Server 6 SE Linux: 06-00 to 06-00-/D, Hitachi Cosminexus App Server 6 SE Linux: 06-02 to 06-02-/F, Hitachi Cosminexus App Server 6 EE AIX: 06-00 to 06-00-/G, Hitachi Cosminexus App Server 6 EE AIX: 06-50 to 06-50-/G, Hitachi Cosminexus App Server 6 SE AIX: 06-00 to 06-00-/G, Hitachi Cosminexus App Server 6 SE AIX: 06-50 to 06-50-/G, Hitachi Cosminexus Developer 6 PE Win: 06-00 to 06-00-/H, Hitachi Cosminexus Developer 6 PE Win: 06-02 to 06-02-/G, Hitachi Cosminexus Developer 6 PE Win: 06-50 to 06-50-/F, Hitachi Cosminexus Developer 6 PE Win: 06-51 to 06-51-/J, Hitachi Cosminexus Developer 6 SE Win: 06-02 to 06-02-/G, Hitachi Cosminexus Developer 6 SE Win: 06-00 to 06-00-/H, Hitachi Cosminexus Developer 6 SE Win: 06-50 to 06-50-/F, Hitachi Cosminexus Developer 6 SE Win: 06-51 to 06-51-/J, Hitachi Cosminexus Developer 6 LE Win: 06-00 to 06-00-/H, Hitachi Cosminexus Developer 6 LE Win: 06-02 to 06-02-/G, Hitachi Cosminexus Developer 6 LE Win: 06-50 to 06-50-/F, Hitachi Cosminexus Developer 6 LE Win: 06-51 to 06-51-/J, Hitachi Cosminexus App Server 5 HP-UX: 05-00 to 05-00-/C, Hitachi Cosminexus App Server 5 HP-UX: 05-02 to 05-02-/E, Hitachi Cosminexus App Server 5 HP-UX: 05-05 to 05-05-/H, Hitachi Cosminexus App Server 5 Windows: 05-01 to 05-01-/L, Hitachi Cosminexus App Server 5 Windows: 05-05 to 05-05-/P, Hitachi Cosminexus App Server 5 Linux: 05-05 to 05-05-/I, Hitachi Cosminexus App Server 5 AIX: 05-00 to 05-00-/R, Hitachi Cosminexus App Server 5 AIX: 05-05 to 05-05-/M, Hitachi Cosminexus Developer 5 for Windows: 05-01 to 05-01-/L, Hitachi Cosminexus Developer 5 for Windows: 05-05 to 05-05-/P, Hitachi Cosminexus Server 4 for HP-UX: 04-01 Standard, Hitachi Cosminexus Server 4 for Solaris: 04-01 Standard, Hitachi Cosminexus Server 4 for AIX: 04-01 Standard, Hitachi Cosminexus Server 4 for HP-UX: 04-01 Web, Hitachi Cosminexus Server 4 for Solaris: 04-01 Web, Hitachi Cosminexus Server EE for HP-UX: 03-00 to 03-05, Hitachi Cosminexus Server EE for Solaris: 03-00 to 03-05, Hitachi Cosminexus Server for HP-UX: 03-00 to 03-05 Standard, Hitachi Cosminexus Server for Solaris: 03-00 to 03-05 Standard, Hitachi Cosminexus Server for HP-UX: 03-00 to 03-05 Web, Hitachi Cosminexus Server for Solaris: 03-00 to 03-05 Web, RedHat Network Satellite Server: 4.2, HP System Management Homepage: 2.1, HP System Management Homepage: 2.1.1, HP System Management Homepage: 2.1.2, HP System Management Homepage: 2.1.3, HP System Management Homepage: 2.1.4, HP System Management Homepage: 2.1.5, HP System Management Homepage: 2.1.6, Novell Open Enterprise Server, OpenSSL OpenSSL: 0.9.7 Beta1, OpenSSL OpenSSL: 0.9.7 Beta2, OpenSSL OpenSSL: 0.9.7 Beta3, OpenSSL OpenSSL: 0.9.7 Beta4, OpenSSL OpenSSL: 0.9.7 Beta5, OpenSSL OpenSSL: 0.9.7 Beta6, OpenSSL OpenSSL: 0.9.7d, OpenSSL OpenSSL: 0.9.7e, OpenSSL OpenSSL: 0.9.7f, OpenSSL OpenSSL: 0.9.7g, OpenSSL OpenSSL: 0.9.7h, OpenSSL OpenSSL: 0.9.7i, OpenSSL OpenSSL: 0.9.7j, OpenSSL OpenSSL: 0.9.8, OpenSSL OpenSSL: 0.9.8b, Sun JDK: 1.5.0, Sun JDK: 1.5.0 Update1, Sun JDK: 1.5.0 Update2, Sun JDK: 1.5.0 Update3, Sun JDK: 1.5.0 Update4, Sun JDK: 1.5.0 Update5, Sun JDK: 1.5.0 Update6, Sun JDK: 1.5.0 Update7, Sun JDK: 1.5.0 Update7 B03, Sun JDK: 1.5.0 Update8, Sun JRE: 1.3.1 Update1, Sun JRE: 1.3.1 Update15, Sun JRE: 1.3.1 Update16, Sun JRE: 1.3.1 Update18, Sun JRE: 1.3.1 Update19, Sun JRE: 1.3.1 Update1a, Sun JRE: 1.3.1 Update4, Sun JRE: 1.3.1 Update8, Sun JRE: 1.4.2 Update1, Sun JRE: 1.4.2 Update10, Sun JRE: 1.4.2 Update11, Sun JRE: 1.4.2 Update12, Sun JRE: 1.4.2 Update2, Sun JRE: 1.4.2 Update3, Sun JRE: 1.4.2 Update4, Sun JRE: 1.4.2 Update5, Sun JRE: 1.4.2 Update6, Sun JRE: 1.4.2 Update7, Sun JRE: 1.4.2 Update8, Sun JRE: 1.4.2 Update9, Sun JRE: 1.5.0 Update1, Sun JRE: 1.5.0 Update2, Sun JRE: 1.5.0 Update4, Sun JRE: 1.5.0 Update5, Sun JRE: 1.5.0 Update6, Sun JSSE: 1.0.3_03, Sun SDK: 1.3.1_01, Sun SDK: 1.3.1_01a, Sun SDK: 1.3.1_16, Sun SDK: 1.3.1_18, Sun SDK: 1.3.1_19, Sun SDK: 1.4.2_03, Sun SDK: 1.4.2_08, Sun SDK: 1.4.2_09, Sun SDK: 1.4.2_10, VMware Server: 1.0.3, NetBSD NetBSD: 2.0.4, NetBSD NetBSD: 3.0.2, SUSE SuSE Linux: 9.3, RedHat Network Satellite Server: 5.1, VMware Server: 1.0, VMware Workstation: 6.0.1, VMware Workstation: 6.0.2, VMware Server: 1.0.1, VMware Server: 1.0.2, VMware Server: 1.0.4, Oracle WebLogic Server: Express, Sun SDK: 1.4.2_04, Sun SDK: 1.4.2_02, Sun SDK: 1.4.2_05, Sun SDK: 1.4.2_06, Sun SDK: 1.4.2_07, Sun SDK: 1.4.2_01, Sun SDK: 1.3.1_02, Sun SDK: 1.3.1_04, Sun SDK: 1.3.1_05, Sun SDK: 1.3.1_06, Sun SDK: 1.3.1_07, Sun SDK: 1.3.1_08, Sun SDK: 1.3.1_09, Sun SDK: 1.3.1_10, Sun SDK: 1.3.1_11, Sun SDK: 1.3.1_12, Sun SDK: 1.3.1_13, Sun SDK: 1.3.1_14, Sun SDK: 1.3.1_15, Sun SDK: 1.3.1_17, Sun JRE: 1.3.1 Update2, Sun JRE: 1.3.1 Update3, Sun JRE: 1.3.1 Update5, Sun JRE: 1.3.1 Update6, Sun JRE: 1.3.1 Update7, Sun JRE: 1.3.1 Update9, Sun JRE: 1.3.1 Update10, Sun JRE: 1.3.1 Update11, Sun JRE: 1.3.1 Update12, Sun JRE: 1.3.1 Update13, Sun JRE: 1.3.1 Update14, Sun JRE: 1.3.1 Update17, Sun SDK: 1.3.1_03, Sun J2SE: 1.5.0, Sun Solaris: 9 SPARC, OpenOffice OpenOffice.org: 3.1.1, OpenOffice OpenOffice.org: 3.2
Description:

OpenSSL could allow a remote attacker to bypass security restrictions caused by an improper validation of certain signatures. If an RSA key with exponent 3 is used, a remote attacker could forge a PKCS #1 v1.5 signature and certificate signed by that key. A remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access.

Remedy:

Upgrade to the latest version of OpenSSL (0.9.7j or 0.9.8b or later), as listed in OpenSSL Security Advisory [11 October 2005]. See References.

For Sybase:
Refer to Sybase Advisory 1047991 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-339-1 for patch, upgrade, or workaround information. See References.

For Debian GNU/Linux:
Refer to DSA-1173-1 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux:
Refer to RHSA-2006:0661-8 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (java-ibm):
Refer to RHSA-2007:0073-2 or RHSA-2007:0062 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (IBMJava2-JRE):
Refer to RHSA-2007:0072-2 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (Opera):
Refer to Gentoo Linux Security Announcement GLSA 200609-18 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (x86 emulation base libraries for AMD64):
Refer to Gentoo Linux Security Announcement GLSA 200609-05 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (NSS):
Refer to Gentoo Linux Security Announcement GLSA 200610-05 for patch, upgrade, or suggested workaround information. See References.

For Solaris (multiple applications):
Refer to Sun Alert ID: 102648 for patch, upgrade, or suggested workaround information. See References.

For Sun Secure Global Desktop:
Refer to Sun Alert ID: 102657 for patch, upgrade, or suggested workaround information. See References.

For Java Enterprise System:
Refer to Sun Alert ID: 102656 for patch, upgrade, or suggested workaround information. See References.

For Java 2 Platform, Standard Edition:
Refer to Sun Alert ID: 102686 for patch, upgrade, or suggested workaround information. See References.

For Solaris (for libike Library applications):
Refer to Sun Alert ID: 102722 for patch, upgrade, or suggested workaround information. See References.

For Solaris (for WAN Boot):
Refer to Sun Alert ID: 102759 for patch, upgrade, or suggested workaround information. See References.

For Cisco:
Refer to cisco-sr-20061108-openssl for upgrade information. See References.

For Mandriva Linux:
Refer to Mandriva Security Advisory MDKSA-2006:207 for patch, upgrade, or suggested workaround information. See References.

For Apple Mac OS X:
Apply Apple Security Update 2006-007, available from the Apple Web site. See References.

For NetBSD:
Refer to NetBSD Security Advisory 2006-023 for patch, upgrade, or suggested workaround information. See References.

For VMware Workstation:
Upgrade to the latest version of VMware Workstation (6.0.3 or later), available from the VMware Workstation Web site. See References.

For VMware Server:
Upgrade to the latest version of VMware Server (1.0.5 or later), available from the VMware Server Web site. See References.

For SUSE Linux:
Refer to SUSE-SA:2007:010 Security Announcement for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE-SA:2006:054 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE-SA:2006:055 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE-SA:2006:061 for patch, upgrade, or suggested workaround information. See References.

For BEA WebLogic Server and Express:
Refer to BEA07-169.00 for patch, upgrade, or suggested workaround information. See References.

For Novell International Crypotographic Infrastructure (NICI):
Refer to Novell Security Alert 3590033 for patch, upgrade, or suggested workaround information. See References.

For HP-UX (bind):
Refer to HPSBUX02219 SSRT061273 for patch, upgrade, or suggested workaround information. See References.

For HP System Management Homepage:
Refer to HPSBMA02250 SSRT061275 rev.1 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

False Positives:
False Negatives: If the openssl version number is not included in the HTTP banner then this will result in a false negative.
Required Permission:
Additional Information:

References:

USN-339-1
openssl vulnerability
http://www.ubuntu.com/usn/usn-339-1

SA21709
OpenSSL RSA Signature Forgery Vulnerability
http://secunia.com/advisories/21709/

SecurityTracker Alert ID: 1016791
OpenSSL RSA Signatures Can Be Forged
http://securitytracker.com/alerts/2006/Sep/1016791.html

OpenSSL Security Advisory [5th September 2006]
RSA Signature Forgery (CVE-2006-4339)
http://www.openssl.org/news/secadv_20060905.txt

Full-Disclosure Mailing List, Tue Sep 5 15:22:20 BST 2006
[SECURITY] OpenSSL 0.9.8c and 0.9.7k released
http://archives.neohapsis.com/archives/fulldisclosure/2006-09/0048.html

OpenSSL Web site
OpenSSL:The Open Source toolkit for SSL/TLS
http://www.openssl.org/

GLSA 200609-05
OpenSSL, AMD64 x86 emulation base libraries: RSA signature forgery
http://www.gentoo.org/security/en/glsa/glsa-200609-05.xml

DSA-1173-1
openssl -- Cryptographic weakness
http://www.debian.org/security/2006/dsa-1173

US-CERT Vulnerability Note VU#845620
Multiple RSA implementations fail to properly handle signatures
http://www.kb.cert.org/vuls/id/845620

RHSA-2006:0661-8
Important: openssl security update
https://rhn.redhat.com/errata/RHSA-2006-0661.html

BugTraq Mailing List, Thu Sep 14 2006 - 04:01:28 CDT
SIP over TLS: X.509 peer authentication vulnerability in Ingate products
http://archives.neohapsis.com/archives/bugtraq/2006-09/0231.html

MFSA 2006-60
RSA Signature Forgery
http://www.mozilla.org/security/announce/2006/mfsa2006-60.html

Sun Alert ID: 102648
Security Vulnerability in RSA Signature Verification Impacting Multiple SUN Products
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1

SA22226
Sun Solaris RSA Signature Forgery Vulnerability
http://secunia.com/advisories/22226/

GLSA 200609-18
Opera: RSA signature forgery
http://www.gentoo.org/security/en/glsa/glsa-200609-18.xml

Sun Alert ID: 102657
Security Vulnerability With RSA Signature Affects the Sun Secure Global Desktop Software
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102657-1

GLSA 200610-06
Mozilla Network Security Service (NSS): RSA signature forgery
http://www.gentoo.org/security/en/glsa/glsa-200610-06.xml

Sun Alert ID: 102656
Security Vulnerability Issue of Forged RSA Signatures for Java Enterprise System and Solaris
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102656-1

Sun Alert ID: 102696
A Security Vulnerability in RSA Signature Verification Affects Sun Java System Application Server, Proxy Server and Web Server
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102696-1

cisco-sr-20061108-openssl
Cisco Security Response: Multiple Vulnerabilities in OpenSSL Library
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml

Sun Alert ID: 102686
Security Vulnerability in RSA Signature Verification Affects Java 2 Platform, Standard Edition
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102686-1

MDKSA-2006:207
Updated bind packages fixes RSA signature verification vulnerability
http://www.mandriva.com/security/advisories?name=MDKSA-2006:207

Sun Alert ID: 102722
Security Vulnerability With RSA Signature Affects Solaris Applications Utilizing the libike Library
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102722-1

Apple Security Update 2006-007
About the security content of Security Update 2006-007
http://docs.info.apple.com/article.html?artnum=304829

SA23155
Mac OS X Security Update Fixes Multiple Vulnerabilities
http://secunia.com/advisories/23155

NetBSD-SA2006-023
OpenSSL RSA Signature Forgery
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2006-023.txt.asc

Sun Alert ID: 102759
Security Vulnerability With RSA Signatures Affects Solaris WAN Boot
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102759-1

Full-Disclosure Mailing List, Mon Jan 08 2007 - 20:17:36 CST
VMware ESX server security updates
http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0170.html

SUSE-SA:2007:010
IBMJava2
http://www.novell.com/linux/security/advisories/2007_10_ibmjava.html

SUSE-SA:2006:054
MozillaFirefox,MozillaThunderbird,seamonkey
http://www.novell.com/linux/security/advisories/2006_54_mozilla.html

SUSE-SA:2006:055
openssl,mozilla-nss
http://www.novell.com/linux/security/advisories/2006_55_ssl.html

SUSE-SA:2006:061
opera
http://www.novell.com/linux/security/advisories/2006_61_opera.html

RHSA-2007:0073
java-1.5.0-ibm security update
https://rhn.redhat.com/errata/RHSA-2007-0073.html

RHSA-2007:0072
IBMJava2 security update
https://rhn.redhat.com/errata/RHSA-2007-0072.html

RHSA-2007:0062
java-1.4.2-ibm security update
https://rhn.redhat.com/errata/RHSA-2007-0062.html

BEA07-169.00
WebLogic SSL may verify RSA Signatures incorrectly if the RSA key exponent is 3
https://support.bea.com/application_content/product_portlets/securityadvisories/238.html

Novell Security Alert 3590033
Security Vulnerability: Multiple RSA implementations fail to properly handle signatures
https://secure-support.novell.com/KanisaPlatform/Publishing/41/3143224_f.SAL_Public.html

HPSBUX02219 SSRT061273
HP-UX Running BIND, Remote Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01070495

Sun Alert ID: 102648
Security Vulnerability in RSA Signature Verification Impacting Multiple SUN Products
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1

HPSBMA02250 SSRT061275 rev.1
HP System Management Homepage (SMH) for Linux and Windows, Remote Execution of Arbitrary Code and Denial of Service (DoS)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01118771&jumpid=reg_R1002_USEN

HS07-034
Vulnerability in Hitachi Web Server Function for Authenticating SSL Clients
http://www.hitachi-support.com/security_e/vuls_e/HS07-034_e/index-e.html

Sun Alert ID: 102744
Security Vulnerability With RSA Signatures Affects OpenSSL Shipped With Solaris
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102744-1

Apple Web site
About the security content of Java Release 6 for Mac OS X 10.4
http://docs.info.apple.com/article.html?artnum=307177

Vmware Workstation Web site
VMware Workstation 6.0 Release Notes, New in Version 6.0.3
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html#603

VMware Server Web site
Key Features in VMware Server, What's New in Version 1.0.5
http://www.vmware.com/support/server/doc/releasenotes_server.html#resolved

IBM Systems Support Web site
Support for HMC
https://www14.software.ibm.com/webapp/set2/sas/f/hmc/power5/install/v61.Readme.html#MH01110

OpenOffice Web Site
Security Vulnerability in OpenOffice.org resulting from 3rd party libraries
http://www.openoffice.org/security/cves/CVE-2006-4339.html

ISS X-Force
OpenSSL RSA exponent 3 security bypass
http://www.iss.net/security_center/static/28755.php

CVE CVE-2007-5810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5810

CVE CVE-2006-4339
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

CVE CVE-2006-5201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5201

CVE CVE-2006-5484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5484


X-Force Logo
Know Your Risks
Mitre.org CVE Logo
Common Vulnerabilties & Exposures