製品・ソフトウェアに関する情報

JVN脆弱性詳細

OpenSSL の CMS および PKCS #7 の実装におけるデータを復号化される脆弱性

Title	OpenSSL の CMS および PKCS #7 の実装におけるデータを復号化される脆弱性
Summary	OpenSSL の Cryptographic Message Syntax (CMS) および PKCS #7 の実装は、特定の動作を適切に制限しないため、容易にデータを復号化される脆弱性が存在します。
Possible impacts	攻撃者により、Million Message Attack (MMA) の適応的選択暗号文攻撃を介して、容易にデータを復号化される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 12, 2012, midnight
Registration Date	March 14, 2012, 11:49 a.m.
Last Update	Nov. 13, 2012, 5:30 p.m.

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:N

Affected System

OpenSSL Project

OpenSSL 0.9.8u 未満

OpenSSL 1.0.0h 未満の 1.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-0884	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0884
National Vulnerability Database (NVD)
2	CVE-2012-0884	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0884
SECURITY BLOG
3	CVE-2012-0884 Cryptographic Issue in OpenSSL (cryptographic_issue)	https://blogs.oracle.com/sunsecurity/entry/cve_2012_0884_cryptographic_issue
4	CVE-2012-0884 Cryptographic Issue in OpenSSL (cryptographic_issue1)	https://blogs.oracle.com/sunsecurity/entry/cve_2012_0884_cryptographic_issue1

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-310	https://jvndb.jvn.jp/ja/cwe/CWE-310.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-2454	http://www.debian.org/security/2012/dsa-2454
Fedora Update Notification
2	FEDORA-2012-4630	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077666.html
3	FEDORA-2012-4665	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077086.html
HP Security Bulletin
4	HPSBOV02793 SSRT100891	http://bizsupport1.austin.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03383940
OpenSSL Security Advisory
5	CMS and S/MIME Bleichenbacher attack	http://www.openssl.org/news/secadv_20120312.txt
opensuse-security-announce
6	openSUSE-SU-2012:0547	http://lists.opensuse.org/opensuse-updates/2012-04/msg00054.html
Red Hat Security Advisory
7	RHSA-2012:1306	http://rhn.redhat.com/errata/RHSA-2012-1306.html
8	RHSA-2012:1307	http://rhn.redhat.com/errata/RHSA-2012-1307.html
9	RHSA-2012:1308	http://rhn.redhat.com/errata/RHSA-2012-1308.html

その他

No	Name	URL
JVN
1	JVNVU#91284469	http://jvn.jp/cert/JVNVU91284469/

Change Log

No	Changed Details	Date of change
0	[2012年03月14日] 掲載 [2012年05月14日] ベンダ情報：オラクル (CVE-2012-0884 Cryptographic Issue in OpenSSL (cryptographic_issue)) を追加 [2012年06月01日] ベンダ情報：オラクル (CVE-2012-0884 Cryptographic Issue in OpenSSL (cryptographic_issue1)) を追加 [2012年07月24日] ベンダ情報：ヒューレット・パッカード (HPSBOV02793 SSRT100891) を追加 [2012年09月05日] ベンダ情報：openSUSE (openSUSE-SU-2012:0547) を追加ベンダ情報：Debian (DSA-2454) を追加ベンダ情報：Fedora Project (FEDORA-2012-4665) を追加 [2012年11月08日] ベンダ情報：レッドハット (RHSA-2012:1306) を追加ベンダ情報：レッドハット (RHSA-2012:1307) を追加ベンダ情報：レッドハット (RHSA-2012:1308) を追加 [2012年11月13日] ベンダ情報：Fedora Project (FEDORA-2012-4630) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-0884

Summary	The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.
Publication Date	March 13, 2012, 12:12 p.m.
Registration Date	Jan. 28, 2021, 2:54 p.m.
Last Update	Nov. 21, 2024, 10:35 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:openssl:openssl::::::::		0.9.8t
cpe:2.3:a:openssl:openssl:0.9.8b:::::::*
cpe:2.3:a:openssl:openssl:0.9.7l:::::::*
cpe:2.3:a:openssl:openssl:0.9.6i:::::::*
cpe:2.3:a:openssl:openssl:0.9.8m:::::::*
cpe:2.3:a:openssl:openssl:0.9.3:::::::*
cpe:2.3:a:openssl:openssl:0.9.8c:::::::*
cpe:2.3:a:openssl:openssl:1.0.0c:::::::*
cpe:2.3:a:openssl:openssl:0.9.7c:::::::*
cpe:2.3:a:openssl:openssl:0.9.8n:::::::*
cpe:2.3:a:openssl:openssl:0.9.8p:::::::*
cpe:2.3:a:openssl:openssl:0.9.6d:::::::*
cpe:2.3:a:openssl:openssl:0.9.1c:::::::*
cpe:2.3:a:openssl:openssl:0.9.6:::::::*
cpe:2.3:a:openssl:openssl:0.9.7j:::::::*
cpe:2.3:a:openssl:openssl:0.9.1b:::::::*
cpe:2.3:a:openssl:openssl:0.9.6a:::::::*
cpe:2.3:a:openssl:openssl:0.9.8e:::::::*
cpe:2.3:a:openssl:openssl:0.9.4:::::::*
cpe:2.3:a:openssl:openssl:0.9.8g:::::::*
cpe:2.3:a:openssl:openssl:0.9.8k:::::::*
cpe:2.3:a:openssl:openssl:0.9.8d:::::::*
cpe:2.3:a:openssl:openssl:0.9.5a:::::::*
cpe:2.3:a:openssl:openssl:1.0.0e:::::::*
cpe:2.3:a:openssl:openssl:1.0.0f:::::::*
cpe:2.3:a:openssl:openssl:0.9.6f:::::::*
cpe:2.3:a:openssl:openssl:0.9.8j:::::::*
cpe:2.3:a:openssl:openssl:0.9.6l:::::::*
cpe:2.3:a:openssl:openssl:1.0.0d:::::::*
cpe:2.3:a:openssl:openssl:0.9.7k:::::::*
cpe:2.3:a:openssl:openssl:0.9.8s:::::::*
cpe:2.3:a:openssl:openssl:0.9.7g:::::::*
cpe:2.3:a:openssl:openssl:0.9.6e:::::::*
cpe:2.3:a:openssl:openssl:0.9.7d:::::::*
cpe:2.3:a:openssl:openssl:0.9.8l:::::::*
cpe:2.3:a:openssl:openssl:0.9.7:::::::*
cpe:2.3:a:openssl:openssl:0.9.6b:::::::*
cpe:2.3:a:openssl:openssl:0.9.7e:::::::*
cpe:2.3:a:openssl:openssl:0.9.7b:::::::*
cpe:2.3:a:openssl:openssl:0.9.8r:::::::*
cpe:2.3:a:openssl:openssl:0.9.6k:::::::*
cpe:2.3:a:openssl:openssl:0.9.8a:::::::*
cpe:2.3:a:openssl:openssl:0.9.6g:::::::*
cpe:2.3:a:openssl:openssl:0.9.7m:::::::*
cpe:2.3:a:openssl:openssl:0.9.3a:::::::*
cpe:2.3:a:openssl:openssl:0.9.6h:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:::::::*
cpe:2.3:a:openssl:openssl:0.9.7i:::::::*
cpe:2.3:a:openssl:openssl:0.9.7h:::::::*
cpe:2.3:a:openssl:openssl:0.9.8o:::::::*
cpe:2.3:a:openssl:openssl:0.9.8q:::::::*
cpe:2.3:a:openssl:openssl:0.9.6j:::::::*
cpe:2.3:a:openssl:openssl:0.9.8:::::::*
cpe:2.3:a:openssl:openssl:0.9.7a:::::::*
cpe:2.3:a:openssl:openssl:0.9.6c:::::::*
cpe:2.3:a:openssl:openssl:0.9.6m:::::::*
cpe:2.3:a:openssl:openssl:0.9.8i:::::::*
cpe:2.3:a:openssl:openssl:0.9.8f:::::::*
cpe:2.3:a:openssl:openssl:1.0.0a:::::::*
cpe:2.3:a:openssl:openssl:0.9.0b:::::::*
cpe:2.3:a:openssl:openssl:0.9.8h:::::::*
cpe:2.3:a:openssl:openssl:0.9.2b:::::::*
cpe:2.3:a:openssl:openssl:0.9.5:::::::*
cpe:2.3:a:openssl:openssl:1.0.0b:::::::*
cpe:2.3:a:openssl:openssl:1.0.0g:::::::*
cpe:2.3:a:openssl:openssl:0.9.7f:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077086.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077221.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077666.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html
5	http://marc.info/?l=bugtraq&m=133728068926468&w=2
6	http://marc.info/?l=bugtraq&m=133728068926468&w=2
7	http://marc.info/?l=bugtraq&m=133951357207000&w=2
8	http://marc.info/?l=bugtraq&m=133951357207000&w=2
9	http://marc.info/?l=bugtraq&m=134039053214295&w=2
10	http://marc.info/?l=bugtraq&m=134039053214295&w=2
11	http://rhn.redhat.com/errata/RHSA-2012-0426.html
12	http://rhn.redhat.com/errata/RHSA-2012-0488.html
13	http://rhn.redhat.com/errata/RHSA-2012-0531.html
14	http://rhn.redhat.com/errata/RHSA-2012-1306.html
15	http://rhn.redhat.com/errata/RHSA-2012-1307.html
16	http://rhn.redhat.com/errata/RHSA-2012-1308.html
17	http://secunia.com/advisories/48580
18	http://secunia.com/advisories/48895
19	http://secunia.com/advisories/48916
20	http://secunia.com/advisories/57353
21	http://www.debian.org/security/2012/dsa-2454
22	http://www.kb.cert.org/vuls/id/737740	US Government Resource
23	http://www.openssl.org/news/secadv_20120312.txt	Vendor Advisory
24	http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
25	https://downloads.avaya.com/css/P8/documents/100162507
26	https://hermes.opensuse.org/messages/14330767
27	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077086.html
28	https://hermes.opensuse.org/messages/14330767
29	https://downloads.avaya.com/css/P8/documents/100162507
30	http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
31	http://www.openssl.org/news/secadv_20120312.txt	Vendor Advisory
32	http://www.kb.cert.org/vuls/id/737740	US Government Resource
33	http://www.debian.org/security/2012/dsa-2454
34	http://secunia.com/advisories/57353
35	http://secunia.com/advisories/48916
36	http://secunia.com/advisories/48895
37	http://secunia.com/advisories/48580
38	http://rhn.redhat.com/errata/RHSA-2012-1308.html
39	http://rhn.redhat.com/errata/RHSA-2012-1307.html
40	http://rhn.redhat.com/errata/RHSA-2012-1306.html
41	http://rhn.redhat.com/errata/RHSA-2012-0531.html
42	http://rhn.redhat.com/errata/RHSA-2012-0488.html
43	http://rhn.redhat.com/errata/RHSA-2012-0426.html
44	http://marc.info/?l=bugtraq&m=134039053214295&w=2
45	http://marc.info/?l=bugtraq&m=134039053214295&w=2
46	http://marc.info/?l=bugtraq&m=133951357207000&w=2
47	http://marc.info/?l=bugtraq&m=133951357207000&w=2
48	http://marc.info/?l=bugtraq&m=133728068926468&w=2
49	http://marc.info/?l=bugtraq&m=133728068926468&w=2
50	http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html
51	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077666.html
52	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077221.html

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:openssl:openssl::::::::		0.9.8t
cpe:2.3:a:openssl:openssl:0.9.8b:::::::*
cpe:2.3:a:openssl:openssl:0.9.7l:::::::*
cpe:2.3:a:openssl:openssl:0.9.6i:::::::*
cpe:2.3:a:openssl:openssl:0.9.8m:::::::*
cpe:2.3:a:openssl:openssl:0.9.3:::::::*
cpe:2.3:a:openssl:openssl:0.9.8c:::::::*
cpe:2.3:a:openssl:openssl:1.0.0c:::::::*
cpe:2.3:a:openssl:openssl:0.9.7c:::::::*
cpe:2.3:a:openssl:openssl:0.9.8n:::::::*
cpe:2.3:a:openssl:openssl:0.9.8p:::::::*
cpe:2.3:a:openssl:openssl:0.9.6d:::::::*
cpe:2.3:a:openssl:openssl:0.9.1c:::::::*
cpe:2.3:a:openssl:openssl:0.9.6:::::::*
cpe:2.3:a:openssl:openssl:0.9.7j:::::::*
cpe:2.3:a:openssl:openssl:0.9.1b:::::::*
cpe:2.3:a:openssl:openssl:0.9.6a:::::::*
cpe:2.3:a:openssl:openssl:0.9.8e:::::::*
cpe:2.3:a:openssl:openssl:0.9.4:::::::*
cpe:2.3:a:openssl:openssl:0.9.8g:::::::*
cpe:2.3:a:openssl:openssl:0.9.8k:::::::*
cpe:2.3:a:openssl:openssl:0.9.8d:::::::*
cpe:2.3:a:openssl:openssl:0.9.5a:::::::*
cpe:2.3:a:openssl:openssl:1.0.0e:::::::*
cpe:2.3:a:openssl:openssl:1.0.0f:::::::*
cpe:2.3:a:openssl:openssl:0.9.6f:::::::*
cpe:2.3:a:openssl:openssl:0.9.8j:::::::*
cpe:2.3:a:openssl:openssl:0.9.6l:::::::*
cpe:2.3:a:openssl:openssl:1.0.0d:::::::*
cpe:2.3:a:openssl:openssl:0.9.7k:::::::*
cpe:2.3:a:openssl:openssl:0.9.8s:::::::*
cpe:2.3:a:openssl:openssl:0.9.7g:::::::*
cpe:2.3:a:openssl:openssl:0.9.6e:::::::*
cpe:2.3:a:openssl:openssl:0.9.7d:::::::*
cpe:2.3:a:openssl:openssl:0.9.8l:::::::*
cpe:2.3:a:openssl:openssl:0.9.7:::::::*
cpe:2.3:a:openssl:openssl:0.9.6b:::::::*
cpe:2.3:a:openssl:openssl:0.9.7e:::::::*
cpe:2.3:a:openssl:openssl:0.9.7b:::::::*
cpe:2.3:a:openssl:openssl:0.9.8r:::::::*
cpe:2.3:a:openssl:openssl:0.9.6k:::::::*
cpe:2.3:a:openssl:openssl:0.9.8a:::::::*
cpe:2.3:a:openssl:openssl:0.9.6g:::::::*
cpe:2.3:a:openssl:openssl:0.9.7m:::::::*
cpe:2.3:a:openssl:openssl:0.9.3a:::::::*
cpe:2.3:a:openssl:openssl:0.9.6h:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:::::::*
cpe:2.3:a:openssl:openssl:0.9.7i:::::::*
cpe:2.3:a:openssl:openssl:0.9.7h:::::::*
cpe:2.3:a:openssl:openssl:0.9.8o:::::::*
cpe:2.3:a:openssl:openssl:0.9.8q:::::::*
cpe:2.3:a:openssl:openssl:0.9.6j:::::::*
cpe:2.3:a:openssl:openssl:0.9.8:::::::*
cpe:2.3:a:openssl:openssl:0.9.7a:::::::*
cpe:2.3:a:openssl:openssl:0.9.6c:::::::*
cpe:2.3:a:openssl:openssl:0.9.6m:::::::*
cpe:2.3:a:openssl:openssl:0.9.8i:::::::*
cpe:2.3:a:openssl:openssl:0.9.8f:::::::*
cpe:2.3:a:openssl:openssl:1.0.0a:::::::*
cpe:2.3:a:openssl:openssl:0.9.0b:::::::*
cpe:2.3:a:openssl:openssl:0.9.8h:::::::*
cpe:2.3:a:openssl:openssl:0.9.2b:::::::*
cpe:2.3:a:openssl:openssl:0.9.5:::::::*
cpe:2.3:a:openssl:openssl:1.0.0b:::::::*
cpe:2.3:a:openssl:openssl:1.0.0g:::::::*
cpe:2.3:a:openssl:openssl:0.9.7f:::::::*