ISS X-Force Database: openssl-rsa-security-bypass(28755): OpenSSL RSA exponent 3 security bypass

OpenSSL RSA exponent 3 security bypass

openssl-rsa-security-bypass (28755)

Medium Risk

Description:

OpenSSL could allow a remote attacker to bypass security restrictions caused by an improper validation of certain signatures. If an RSA key with exponent 3 is used, a remote attacker could forge a PKCS #1 v1.5 signature and certificate signed by that key. A remote attacker could exploit this vulnerability to bypass security restrictions and gain unauthorized access.

*CVSS:

Base Score:	2.8
Access Vector:	Remote
Access Complexity:	High
Authentication:	Not Required
Confidentiality Impact:	None
Integrity Impact:	Partial
Availability Impact:	None

Temporal Score:	2.1
Exploitability:	Unproven
Remediation Level:	Official-Fix
Report Confidence:	Confirmed

Consequences:

Bypass Security

Remedy:

Upgrade to the latest version of OpenSSL (0.9.7j or 0.9.8b or later), as listed in OpenSSL Security Advisory [11 October 2005]. See References.

For Sybase:
Refer to Sybase Advisory 1047991 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-339-1 for patch, upgrade, or workaround information. See References.

For Debian GNU/Linux:
Refer to DSA-1173-1 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux:
Refer to RHSA-2006:0661-8 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (java-ibm):
Refer to RHSA-2007:0073-2 or RHSA-2007:0062 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (IBMJava2-JRE):
Refer to RHSA-2007:0072-2 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (Opera):
Refer to Gentoo Linux Security Announcement GLSA 200609-18 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (x86 emulation base libraries for AMD64):
Refer to Gentoo Linux Security Announcement GLSA 200609-05 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (NSS):
Refer to Gentoo Linux Security Announcement GLSA 200610-05 for patch, upgrade, or suggested workaround information. See References.

For Solaris (multiple applications):
Refer to Sun Alert ID: 102648 for patch, upgrade, or suggested workaround information. See References.

For Sun Secure Global Desktop:
Refer to Sun Alert ID: 102657 for patch, upgrade, or suggested workaround information. See References.

For Java Enterprise System:
Refer to Sun Alert ID: 102656 for patch, upgrade, or suggested workaround information. See References.

For Java 2 Platform, Standard Edition:
Refer to Sun Alert ID: 102686 for patch, upgrade, or suggested workaround information. See References.

For Solaris (for libike Library applications):
Refer to Sun Alert ID: 102722 for patch, upgrade, or suggested workaround information. See References.

For Solaris (for WAN Boot):
Refer to Sun Alert ID: 102759 for patch, upgrade, or suggested workaround information. See References.

For Cisco:
Refer to cisco-sr-20061108-openssl for upgrade information. See References.

For Mandriva Linux:
Refer to Mandriva Security Advisory MDKSA-2006:207 for patch, upgrade, or suggested workaround information. See References.

For Apple Mac OS X:
Apply Apple Security Update 2006-007, available from the Apple Web site. See References.

For NetBSD:
Refer to NetBSD Security Advisory 2006-023 for patch, upgrade, or suggested workaround information. See References.

For VMware Workstation:
Upgrade to the latest version of VMware Workstation (6.0.3 or later), available from the VMware Workstation Web site. See References.

For VMware Server:
Upgrade to the latest version of VMware Server (1.0.5 or later), available from the VMware Server Web site. See References.

For SUSE Linux:
Refer to SUSE-SA:2007:010 Security Announcement for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE-SA:2006:054 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE-SA:2006:055 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE-SA:2006:061 for patch, upgrade, or suggested workaround information. See References.

For BEA WebLogic Server and Express:
Refer to BEA07-169.00 for patch, upgrade, or suggested workaround information. See References.

For Novell International Crypotographic Infrastructure (NICI):
Refer to Novell Security Alert 3590033 for patch, upgrade, or suggested workaround information. See References.

For HP-UX (bind):
Refer to HPSBUX02219 SSRT061273 for patch, upgrade, or suggested workaround information. See References.

For HP System Management Homepage:
Refer to HPSBMA02250 SSRT061275 rev.1 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References:

Apple Security Update 2006-007: About the security content of Security Update 2006-007.
Apple Web site: About the security content of Java Release 6 for Mac OS X 10.4.
BEA07-169.00: WebLogic SSL may verify RSA Signatures incorrectly if the RSA key exponent is 3.
BugTraq Mailing List, Thu Sep 14 2006 - 04:01:28 CDT: SIP over TLS: X.509 peer authentication vulnerability in Ingate products.
cisco-sr-20061108-openssl: Cisco Security Response: Multiple Vulnerabilities in OpenSSL Library.
Full-Disclosure Mailing List, Mon Jan 08 2007 - 20:17:36 CST: VMware ESX server security updates.
Full-Disclosure Mailing List, Tue Sep 5 15:22:20 BST 2006 : [SECURITY] OpenSSL 0.9.8c and 0.9.7k released.
HPSBMA02250 SSRT061275 rev.1 : HP System Management Homepage (SMH) for Linux and Windows, Remote Execution of Arbitrary Code and Denial of Service (DoS).
HPSBUX02219 SSRT061273: HP-UX Running BIND, Remote Denial of Service (DoS).
HS07-034: Vulnerability in Hitachi Web Server Function for Authenticating SSL Clients.
IBM Systems Support Web site: Support for HMC.
MFSA 2006-60: RSA Signature Forgery.
NetBSD-SA2006-023: OpenSSL RSA Signature Forgery.
Novell Security Alert 3590033: Security Vulnerability: Multiple RSA implementations fail to properly handle signatures.
OpenOffice Web Site: Security Vulnerability in OpenOffice.org resulting from 3rd party libraries.
OpenSSL Security Advisory [5th September 2006]: RSA Signature Forgery (CVE-2006-4339).
OpenSSL Web site: OpenSSL:The Open Source toolkit for SSL/TLS.
Sun Alert ID: 102648: Security Vulnerability in RSA Signature Verification Impacting Multiple SUN Products.
Sun Alert ID: 102648: Security Vulnerability in RSA Signature Verification Impacting Multiple SUN Products.
Sun Alert ID: 102656: Security Vulnerability Issue of Forged RSA Signatures for Java Enterprise System and Solaris.
Sun Alert ID: 102657: Security Vulnerability With RSA Signature Affects the Sun Secure Global Desktop Software.
Sun Alert ID: 102686: Security Vulnerability in RSA Signature Verification Affects Java 2 Platform, Standard Edition.
Sun Alert ID: 102696: A Security Vulnerability in RSA Signature Verification Affects Sun Java System Application Server, Proxy Server and Web Server.
Sun Alert ID: 102722: Security Vulnerability With RSA Signature Affects Solaris Applications Utilizing the libike Library.
Sun Alert ID: 102744: Security Vulnerability With RSA Signatures Affects OpenSSL Shipped With Solaris.
Sun Alert ID: 102759: Security Vulnerability With RSA Signatures Affects Solaris WAN Boot.
VMware Server Web site: Key Features in VMware Server, What's New in Version 1.0.5.
Vmware Workstation Web site: VMware Workstation 6.0 Release Notes, New in Version 6.0.3.
ASA-2006-188: openssl security update (RHSA-2006-0661)
ASA-2006-241: HP-UX VirtualVault Vulnerabilities
ASA-2006-250: Sun Alert Notifications from Sun Weekly Report dated October 07 2006
ASA-2006-251: Sun Alert Notifications from Sun Weekly Report dated Oct 28 2006
ASA-2006-264: Security Vulnerability With RSA Signature Affects Solaris Applications Utilizing the libike Library
ASA-2006-266: Security Vulnerability With RSA Signatures Affects OpenSSL Shipped With Solaris 10
ASA-2007-090: IBMJava2 security update (RHSA-2007-0072)
ASA-2007-091: java-1.4.2-ibm security update (RHSA-2007-0062)
ASA-2007-093: java-1.5.0-ibm security update (RHSA-2007-0073)
ASA-2007-097: HP-UX Running Firefox Remote Unauthorized Access or Elevation of Privileges or Denial of Service (DoS) (HPSBUX02153)
ASA-2007-240: HP-UX Running BIND Remote Denial of Service (DoS) (HPSBUX02219)
BID-19849: OpenSSL PKCS Padding RSA Signature Forgery Vulnerability
BID-22083: Oracle January 2007 Security Update Multiple Vulnerabilities
BID-26271: Hitachi Web Server HTML Injection Vulnerability and Signature Forgery Vulnerability
BID-28276: VMware Server 1.0.5 and Workstation 6.0.3 Multiple Vulnerabilities
CVE-2006-4339: OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1.
CVE-2006-5201: Multiple packages on Sun Solaris, including (1) NSS; (2) Java JDK and JRE 5.0 Update 8 and earlier, SDK and JRE 1.4.x up to 1.4.2_12, and SDK and JRE 1.3.x up to 1.3.1_19; (3) JSSE 1.0.3_03 and earlier; (4) IPSec/IKE; (5) Secure Global Desktop; and (6) StarOffice, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents these products from correctly verifying X.509 and other certificates that use PKCS #1.
CVE-2006-5484: SSH Tectia Client/Server/Connector 5.1.0 and earlier, Manager 2.2.0 and earlier, and other products, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents Tectia from correctly verifying X.509 and other certificates that use PKCS #1, a similar issue to CVE-2006-4339.
CVE-2007-5810: Hitachi Web Server 01-00 through 03-00-01, as used by certain Cosminexus products, does not properly validate SSL client certificates, which might allow remote attackers to spoof authentication via a client certificate with a forged signature.
DSA-1173: openssl -- cryptographic weakness
DSA-1174: openssl096 -- cryptographic weakness
GLSA-200609-05: OpenSSL, AMD64 x86 emulation base libraries: RSA signature forgery
GLSA-200609-18: Opera: RSA signature forgery
GLSA-200610-06: Mozilla Network Security Service (NSS): RSA signature forgery
MDKSA-2006:161: Updated openssl packages fix vulnerability
MDKSA-2006:166: gnutls
MDKSA-2006:207: Updated bind packages fixes RSA signature verification vulnerability
OpenPKG-SA-2006.018: OpenSSL
OpenPKG-SA-2006.029: BIND
OSVDB ID: 28549: OpenSSL RSA Key PKCS #1 v1.5 Signature Forgery
RHSA-2006-0661: openssl security update
RHSA-2007-0062: Critical: java-1.4.2-ibm security update
RHSA-2007-0072: Critical: IBMJava2 security update
RHSA-2007-0073: Critical: java-1.5.0-ibm security update
RHSA-2008-0264: Moderate: Red Hat Network Satellite Server Solaris client security update
RHSA-2008-0525: Moderate: Red Hat Network Satellite Server Solaris client security update
RHSA-2008-0629: Moderate: Red Hat Network Satellite Server Solaris client security update
SA21709: OpenSSL RSA Signature Forgery Vulnerability
SA21846: OpenVPN OpenSSL RSA Signature Forgery
SA21870: Avaya Products OpenSSL Vulnerability
SA21906: Mozilla Firefox Multiple Vulnerabilities
SA21930: Ingate Firewall and SIParator OpenSSL Vulnerability
SA21982: Opera SSL RSA Signature Forgery Vulnerability
SA22204: Sun Java JDK / SDK RSA Signature Forgery Vulnerability
SA22226: Sun Solaris RSA Signature Forgery Vulnerability
SA22232: OpenVPN Multiple Vulnerabilities
SA22284: Serv-U FTP Server OpenSSL Multiple Vulnerabilities
SA22325: Sun Secure Global Desktop Software RSA Signature Forgery Vulnerability
SA22350: SSH Tectia Products RSA Signature Forgery Vulnerability
SA22513: Reflection Products RSA Signature Forgery Vulnerability
SA22523: IBM HMC Apache2 / OpenSSL Vulnerabilities
SA22545: Blue Coat Products RSA Signature Vulnerability
SA22585: Sun JES / Solaris OpenSSL RSA Signature Forgery
SA22671: BIND OpenSSL Vulnerabilities
SA22711: Juniper Secure Access / Unified Access Control RSA Signature Forgery
SA22733: Sun Java System Multiple Products RSA Signature Forgery
SA22758: Cisco Products OpenSSL Vulnerabilities
SA22799: Cisco Products OpenSSL Vulnerabilities
SA22934: Sybase Afaria RSA Signature Forgery
SA22936: Sybase Mach Desktop RSA Signature Forgery
SA22937: Sybase mFolio RSA Signature Forgery
SA22938: Sybase PowerBuilder RSA Signature Forgery
SA22939: Sybase RFID Enterprise RSA Signature Forgery
SA22940: Sybase Unwired Accelerator RSA Signature Forgery
SA22949: Sybase Enterprise Portal RSA Signature Forgery
SA22992: Avaya CMS Sun Solaris X Display Manager Security Issue
SA23155: Mac OS X Security Update Fixes Multiple Vulnerabilities
SA23455: Sun Solaris WAN Boot RSA Signature Forgery Vulnerability
SA23680: VMWare ESX Server Multiple Vulnerabilities
SA23794: Oracle Products Multiple Vulnerabilities
SA23841: SecureCRT / SecureFX OpenSSL RSA Signature Forgery
SA24930: HP Tru64 UNIX Multiple SSL and BIND Vulnerabilities
SA24950: HP Insight Management Agents SSL Vulnerabilities
SA25284: BEA Products Multiple Vulnerabilities
SA25399: Novell International Cryptographic Infrastructure Two Vulnerabilities
SA26329: HP System Management Homepage Apache and OpenSSL Vulnerabilities
SA26893: rPath update for openssl
SA27421: Hitachi Web Server Multiple Vulnerabilities
SA28115: Mac OS X Java Multiple Vulnerabilities
SA29412: VMware Server Multiple Vulnerabilities
SA38567: OpenOffice.org 2 Multiple Vulnerabilities
SA38568: OpenOffice.org 3 Multiple Vulnerabilities
SA41818: Oracle Open Office Multiple Vulnerabilities
SECTRACK ID: 1016791: OpenSSL RSA Signatures Can Be Forged
SECTRACK ID: 1017060: (SSH Issues Fix for Tectia Server) OpenSSL RSA Signatures Can Be Forged
SECTRACK ID: 1017061: (SSH Issues Fix for Tectia Manager) OpenSSL RSA Signatures Can Be Forged
SECTRACK ID: 1017522: Oracle Database and Other Products Have 52 Unspecified Vulnerabilities With Unspecified Impact
SUSE-SA:2006:055: PKCS RSA signature forgery
SUSE-SA:2006:061: opera security problems
SUSE-SA:2007:010: IBMJava security update
SUSE-SR:2006:024: SUSE Security Summary Report
SUSE-SR:2006:026: SUSE Security Summary Report

Platforms Affected:

Apple Mac OS X 10.3.9
Apple Mac OS X 10.4.8
Apple Mac OS X Server 10.3.9
Apple Mac OS X Server 10.4.8
Canonical Ubuntu 5.04
Canonical Ubuntu 5.10
Canonical Ubuntu 6.06 LTS
Cisco Access Registrar
Cisco Application and Content Networking Software
Cisco Application Control Engine Module 1.1
Cisco CallManager Express
Cisco CiscoWorks Common Management Foundation
Cisco CiscoWorks Common Services
Cisco Content Services Switch 11500 7.50
Cisco Content Services Switch 11500 8.10
Cisco CS-MARS 4.2.2
Cisco GSS 4480 Global Site Selector
Cisco GSS 4490 Global Site Selector
Cisco GSS 4491 Global Site Selector
Cisco GSS 4492 Global Site Selector
Cisco IDS
Cisco MDS 9500
Cisco ONS 15454
Cisco Secure Access Control Server
Cisco Security Agent 5.1
Cisco SIP Proxy Server
Cisco Unified CallManager 4.1
Cisco Unified Presence Server
Cisco Wide Area Application Services
Cisco Wide Area File Services Software
Cisco Wireless LAN Controller 4.0
Debian Debian Linux 3.1
Gentoo Linux
Hitachi Cosminexus App Server 5 AIX 05-00 to 05-00-/R
Hitachi Cosminexus App Server 5 AIX 05-05 to 05-05-/M
Hitachi Cosminexus App Server 5 HP-UX 05-00 to 05-00-/C
Hitachi Cosminexus App Server 5 HP-UX 05-02 to 05-02-/E
Hitachi Cosminexus App Server 5 HP-UX 05-05 to 05-05-/H
Hitachi Cosminexus App Server 5 Linux 05-05 to 05-05-/I
Hitachi Cosminexus App Server 5 Windows 05-01 to 05-01-/L
Hitachi Cosminexus App Server 5 Windows 05-05 to 05-05-/P
Hitachi Cosminexus App Server 6 EE AIX 06-00 to 06-00-/G
Hitachi Cosminexus App Server 6 EE AIX 06-50 to 06-50-/G
Hitachi Cosminexus App Server 6 EE HP-UX 06-00 to 06-00-/D
Hitachi Cosminexus App Server 6 EE HP-UX 06-50 - 06-50-/E
Hitachi Cosminexus App Server 6 EE HP-UX IPF 06-00 to 06-00-/E
Hitachi Cosminexus App Server 6 EE HP-UX IPF 06-50 to 06-50-/E
Hitachi Cosminexus App Server 6 EE Linux 06-00 to 06-00-/D
Hitachi Cosminexus App Server 6 EE Linux 06-02 to 06-02-/F
Hitachi Cosminexus App Server 6 EE Linux 06-50 to 06-50-/C
Hitachi Cosminexus App Server 6 EE Linux 06-51 to 06-51-/D
Hitachi Cosminexus App Server 6 EE Solaris 06-00 to 06-00-/A
Hitachi Cosminexus App Server 6 EE Solaris 06-50 to 06-50-/C
Hitachi Cosminexus App Server 6 EE Win 06-00 to 06-00-/H
Hitachi Cosminexus App Server 6 EE Win 06-02 to 06-02-/G
Hitachi Cosminexus App Server 6 EE Win 06-50 to 06-50-/F
Hitachi Cosminexus App Server 6 for Win 06-51 to 06-51-/J Enterprise
Hitachi Cosminexus App Server 6 SE AIX 06-00 to 06-00-/G
Hitachi Cosminexus App Server 6 SE AIX 06-50 to 06-50-/G
Hitachi Cosminexus App Server 6 SE HP-UX 06-00 to 06-00-/D
Hitachi Cosminexus App Server 6 SE HP-UX 06-50 - 06-50-/E
Hitachi Cosminexus App Server 6 SE HP-UX IPF 06-00 to 06-00-/E
Hitachi Cosminexus App Server 6 SE HP-UX IPF 06-50 to 06-50-/E
Hitachi Cosminexus App Server 6 SE Linux 06-00 to 06-00-/D
Hitachi Cosminexus App Server 6 SE Linux 06-02 to 06-02-/F
Hitachi Cosminexus App Server 6 SE Linux 06-50 to 06-50-/C
Hitachi Cosminexus App Server 6 SE Linux 06-51 to 06-51-/D
Hitachi Cosminexus App Server 6 SE Solaris 06-00 to 06-00-/A
Hitachi Cosminexus App Server 6 SE Solaris 06-50 to 06-50-/C
Hitachi Cosminexus App Server 6 SE Win 06-00 to 06-00-/H
Hitachi Cosminexus App Server 6 SE Win 06-02 to 06-02-/G
Hitachi Cosminexus App Server 6 SE Win 06-50 to 06-50-/F
Hitachi Cosminexus App Server 6 SE Win 06-51 to 06-51-/J
Hitachi Cosminexus Developer 5 for Windows 05-01 to 05-01-/L
Hitachi Cosminexus Developer 5 for Windows 05-05 to 05-05-/P
Hitachi Cosminexus Developer 6 LE Win 06-00 to 06-00-/H
Hitachi Cosminexus Developer 6 LE Win 06-02 to 06-02-/G
Hitachi Cosminexus Developer 6 LE Win 06-50 to 06-50-/F
Hitachi Cosminexus Developer 6 LE Win 06-51 to 06-51-/J
Hitachi Cosminexus Developer 6 PE Win 06-00 to 06-00-/H
Hitachi Cosminexus Developer 6 PE Win 06-02 to 06-02-/G
Hitachi Cosminexus Developer 6 PE Win 06-50 to 06-50-/F
Hitachi Cosminexus Developer 6 PE Win 06-51 to 06-51-/J
Hitachi Cosminexus Developer 6 SE Win 06-00 to 06-00-/H
Hitachi Cosminexus Developer 6 SE Win 06-02 to 06-02-/G
Hitachi Cosminexus Developer 6 SE Win 06-50 to 06-50-/F
Hitachi Cosminexus Developer 6 SE Win 06-51 to 06-51-/J
Hitachi Cosminexus Server 4 for AIX 04-01 Standard
Hitachi Cosminexus Server 4 for HP-UX 04-01 Web
Hitachi Cosminexus Server 4 for HP-UX 04-01 Standard
Hitachi Cosminexus Server 4 for Solaris 04-01 Web
Hitachi Cosminexus Server 4 for Solaris 04-01 Standard
Hitachi Cosminexus Server EE for HP-UX 03-00 to 03-05
Hitachi Cosminexus Server EE for Solaris 03-00 to 03-05
Hitachi Cosminexus Server for HP-UX 03-00 to 03-05 Web
Hitachi Cosminexus Server for HP-UX 03-00 to 03-05 Standard
Hitachi Cosminexus Server for Solaris 03-00 to 03-05 Standard
Hitachi Cosminexus Server for Solaris 03-00 to 03-05 Web
Hitachi Hitachi Web Server for AIX 01-01 to 01-02-/E
Hitachi Hitachi Web Server for AIX 02-00 to 02-04-/B
Hitachi Hitachi Web Server for AIX 03-00
Hitachi Hitachi Web Server for HP-UX (IPF) 02-02 to 02-04-/B
Hitachi Hitachi Web Server for HP-UX 10.20 01-00 to 01-02-/D
Hitachi Hitachi Web Server for HP-UX 11.00 01-00 to 01-02-/D
Hitachi Hitachi Web Server for HP-UX 11.00 02-00 to 02-04-/B
Hitachi Hitachi Web Server for Linux 01-01 to 01-01-/D
Hitachi Hitachi Web Server for Linux 02-00 to 02-00-/A
Hitachi Hitachi Web Server for Linux 02-02 to 02-06-/A
Hitachi Hitachi Web Server for Linux 03-00
Hitachi Hitachi Web Server for Solaris 01-00 to 01-02-/D
Hitachi Hitachi Web Server for Solaris 02-00 to 02-04-/B
Hitachi Hitachi Web Server for Solaris 03-00
Hitachi Hitachi Web Server for Turbolinux 01-01
Hitachi Hitachi Web Server for Turbolinux 02-00
Hitachi Hitachi Web Server for Windows 02-00 to 02-04-/D
Hitachi Hitachi Web Server for Windows 03-00 to 03-00-01
Hitachi uCosminexus Appl Serv Ent HP-UX IPF 07-00
Hitachi uCosminexus Appl Serv Ent HP-UX IPF 07-10
Hitachi uCosminexus Appl Serv Ent HP-UX IPF 07-10-01
Hitachi uCosminexus Appl Srv Ent Windows 06-70 to 06-70-/D
Hitachi uCosminexus Appl Srv Ent Windows 06-71 to 06-71-/D
Hitachi uCosminexus Appl Srv Ent Windows 07-00 to 07-00-03
Hitachi uCosminexus Appl Srv Ent Windows 07-10 to 07-10-01
Hitachi uCosminexus Appl Srv Ent Windows 07-20 to 07-20-01
Hitachi uCosminexus Appl Srv Ent Windows 07-50 to 07-50-01
Hitachi uCosminexus Application Serv Ent AIX 06-70 to 06-70-/B
Hitachi uCosminexus Application Serv Ent AIX 07-00
Hitachi uCosminexus Application Serv Ent AIX 07-10
Hitachi uCosminexus Application Serv Ent AIX 07-50
Hitachi uCosminexus Application Serv Ent HP-UX 06-70 to 06-70-/C
Hitachi uCosminexus Application Serv Ent HP-UX 07-10
Hitachi uCosminexus Application Serv Ent Linux 06-70 to 06-70-/D
Hitachi uCosminexus Application Serv Ent Linux 06-71 to 06-71-/D
Hitachi uCosminexus Application Serv Ent Linux 07-00 to 07-00-01
Hitachi uCosminexus Application Serv Ent Linux 07-10
Hitachi uCosminexus Application Serv Ent Linux 07-50
Hitachi uCosminexus Application Serv Ent Solaris 06-70 to 06-70-/D
Hitachi uCosminexus Application Serv Ent Solaris 07-00
Hitachi uCosminexus Application Serv Ent Solaris 07-10
Hitachi uCosminexus Application Serv Std HP-UX 07-10
Hitachi uCosminexus Application Server AIX 06-70 -06-70-/B
Hitachi uCosminexus Application Server AIX 07-00
Hitachi uCosminexus Application Server AIX 07-10
Hitachi uCosminexus Application Server AIX 07-50
Hitachi uCosminexus Application Server for HP-UX 06-70 to 06-70-/C
Hitachi uCosminexus Application Server for HP-UX 06-72 to 06-72-/A
Hitachi uCosminexus Application Server for Win 06-70 to 06-70-/D
Hitachi uCosminexus Application Server for Win 06-71 to 06-71-/D
Hitachi uCosminexus Application Server for Win 07-00 to 07-00-03
Hitachi uCosminexus Application Server for Win 07-10 to 07-10-01
Hitachi uCosminexus Application Server for Win 07-20 - 07-20-01
Hitachi uCosminexus Application Server for Win 07-50 to 07-50-01
Hitachi uCosminexus Application Server HP-UX IPF 06-70 to 06-70-/K
Hitachi uCosminexus Application Server HP-UX IPF 07-00
Hitachi uCosminexus Application Server HP-UX IPF 07-10 to 07-10-01
Hitachi uCosminexus Application Server Linux 06-70 to 06-70-/D
Hitachi uCosminexus Application Server Linux 06-71 to 06-71-/D
Hitachi uCosminexus Application Server Linux 07-00 to 07-00-01
Hitachi uCosminexus Application Server Linux 07-10
Hitachi uCosminexus Application Server Linux 07-50
Hitachi uCosminexus Application Server Solaris 06-70 to 06-70-/D
Hitachi uCosminexus Application Server Solaris 07-00
Hitachi uCosminexus Application Server Solaris 07-10
Hitachi uCosminexus Application SrvEnt HP-UX IPF 06-70 to 06-70-/F
Hitachi uCosminexus Developer Win 06-70 to 06-70-/D Professional
Hitachi uCosminexus Developer Win 06-70 to 06-70-/D Standard
Hitachi uCosminexus Developer Win 06-70 to 06-70-/D Light
Hitachi uCosminexus Developer Win 06-71 to 06-71-/D Light
Hitachi uCosminexus Developer Win 06-71 to 06-71-/D Standard
Hitachi uCosminexus Developer Win 06-71 to 06-71-/D Professional
Hitachi uCosminexus Developer Win 07-00 to 07-00-03 Professional
Hitachi uCosminexus Developer Win 07-00 to 07-00-03 Standard
Hitachi uCosminexus Developer Win 07-10 to 07-10-01 Professional
Hitachi uCosminexus Developer Win 07-10 to 07-10-01 Standard
Hitachi uCosminexus Developer Win 07-20 - 07-20-01 Professional
Hitachi uCosminexus Developer Win 07-20 - 07-20-01 Standard
Hitachi uCosminexus Developer Win 07-50 to 07-50-01 Professional
Hitachi uCosminexus Developer Win 07-50 to 07-50-01 Standard
Hitachi uCosminexus Service Architect Win 07-00 to 07-00-03
Hitachi uCosminexus Service Architect Win 07-10 to 07-10-01
Hitachi uCosminexus Service Architect Win 07-20 - 07-20-01
Hitachi uCosminexus Service Architect Win 07-50 to 07-50-01
Hitachi uCosminexus Service Platform AIX 07-10
Hitachi uCosminexus Service Platform AIX 07-50
Hitachi uCosminexus Service Platform Linux 07-00
Hitachi uCosminexus Service Platform Linux 07-10
Hitachi uCosminexus Service Platform Linux 07-50
Hitachi uCosminexus Service Platform Win 07-00 to 07-00-03
Hitachi uCosminexus Service Platform Win 07-10 to 07-10-01
Hitachi uCosminexus Service Platform Win 07-20 - 07-20-01
Hitachi uCosminexus Service Platform Win 07-50 to 07-50-01
HP HP-UX 11.11
HP HP-UX 11.23
HP System Management Homepage 2.1
HP System Management Homepage 2.1.1
HP System Management Homepage 2.1.2
HP System Management Homepage 2.1.3
HP System Management Homepage 2.1.4
HP System Management Homepage 2.1.5
HP System Management Homepage 2.1.6
Ingate Ingate Firewall Current version
Ingate Ingate SIParator Current version
MandrakeSoft Mandrake Linux 2006 X86_64
MandrakeSoft Mandrake Linux 2006
MandrakeSoft Mandrake Linux 2007 X86_64
MandrakeSoft Mandrake Linux 2007
MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
MandrakeSoft Mandrake Linux Corporate Server 3.0
MandrakeSoft Mandrake Linux Corporate Server 4.0 X86_64
MandrakeSoft Mandrake Linux Corporate Server 4.0
MandrakeSoft Mandrake Multi Network Firewall 2.0
Mozilla Firefox 1.5.0.7
Mozilla Network Security Services 3.11.3
Mozilla SeaMonkey 1.0.5
Mozilla Thunderbird 1.5.0.7
NetBSD NetBSD 2.0
NetBSD NetBSD 2.0.1
NetBSD NetBSD 2.0.2
NetBSD NetBSD 2.0.3
NetBSD NetBSD 2.0.4
NetBSD NetBSD 2.1
NetBSD NetBSD 3.0
NetBSD NetBSD 3.0.1
NetBSD NetBSD 3.0.2
NetBSD NetBSD 4.0 beta
NetBSD NetBSD CURRENT
Novell Linux Desktop 9
Novell Linux POS 9
Novell Open Enterprise Server
Novell Open Enterprise Server
Novell Security Services 2.0.4
Novell SLE SDK 10
Novell UnitedLinux 1.0
OpenOffice OpenOffice.org 3.1.1
OpenOffice OpenOffice.org 3.2
OpenPKG OpenPKG 2-STABLE
OpenPKG OpenPKG 2.5
OpenPKG OpenPKG CURRENT
OpenPKG OpenPKG Enterprise E1.0-SOLID
OpenSSL OpenSSL 0.9.7 Beta3
OpenSSL OpenSSL 0.9.7 Beta6
OpenSSL OpenSSL 0.9.7 Beta5
OpenSSL OpenSSL 0.9.7 Beta4
OpenSSL OpenSSL 0.9.7 Beta2
OpenSSL OpenSSL 0.9.7 Beta1
OpenSSL OpenSSL 0.9.7
OpenSSL OpenSSL 0.9.7a
OpenSSL OpenSSL 0.9.7b
OpenSSL OpenSSL 0.9.7c
OpenSSL OpenSSL 0.9.7d
OpenSSL OpenSSL 0.9.7e
OpenSSL OpenSSL 0.9.7f
OpenSSL OpenSSL 0.9.7g
OpenSSL OpenSSL 0.9.7h
OpenSSL OpenSSL 0.9.7i
OpenSSL OpenSSL 0.9.7j
OpenSSL OpenSSL 0.9.8
OpenSSL OpenSSL 0.9.8a
OpenSSL OpenSSL 0.9.8b
Opera Opera Browser prior to 9.02
Oracle WebLogic Server Express
Oracle WebLogic Server
RedHat Enterprise Linux 2.1 AS
RedHat Enterprise Linux 2.1 ES
RedHat Enterprise Linux 2.1 WS
RedHat Enterprise Linux 3 Desktop
RedHat Enterprise Linux 3 WS
RedHat Enterprise Linux 3 ES
RedHat Enterprise Linux 3 AS
RedHat Enterprise Linux 4 ES
RedHat Enterprise Linux 4 WS
RedHat Enterprise Linux 4 Desktop
RedHat Enterprise Linux 4 AS
RedHat Enterprise Linux AS
RedHat Enterprise Linux WS
RedHat Enterprise Linux ES
RedHat Linux Advanced Workstation 2.1 Itanium
RedHat Network Satellite Server 4.2
RedHat Network Satellite Server 5.0
RedHat Network Satellite Server 5.1
RedHat RHEL Extras 3
RedHat RHEL Extras 4
Sun J2SE 1.5.0
Sun Java System Application Server 7.0 2004Q2 Standard
Sun Java System Application Server 7.0 2004Q2 Enterprise
Sun Java System Application Server 8.1 2005Q1
Sun Java System Web Proxy Server 3.6
Sun Java System Web Server 6.1
Sun JDK 1.5.0 Update7
Sun JDK 1.5.0 Update7 B03
Sun JDK 1.5.0 Update8
Sun JDK 1.5.0 Update6
Sun JDK 1.5.0 Update5
Sun JDK 1.5.0 Update4
Sun JDK 1.5.0 Update3
Sun JDK 1.5.0 Update2
Sun JDK 1.5.0
Sun JDK 1.5.0 Update1
Sun JRE 1.3.1 Update16
Sun JRE 1.3.1
Sun JRE 1.3.1 Update10
Sun JRE 1.3.1 Update9
Sun JRE 1.3.1 Update7
Sun JRE 1.3.1 Update6
Sun JRE 1.3.1 Update5
Sun JRE 1.3.1 Update3
Sun JRE 1.3.1 Update2
Sun JRE 1.3.1 Update17
Sun JRE 1.3.1 Update14
Sun JRE 1.3.1 Update13
Sun JRE 1.3.1 Update12
Sun JRE 1.3.1 Update11
Sun JRE 1.3.1 Update19
Sun JRE 1.3.1 Update18
Sun JRE 1.3.1 Update15
Sun JRE 1.3.1 Update1
Sun JRE 1.3.1 Update8
Sun JRE 1.3.1 Update4
Sun JRE 1.3.1 Update1a
Sun JRE 1.4.2 Update7
Sun JRE 1.4.2 Update6
Sun JRE 1.4.2
Sun JRE 1.4.2 Update1
Sun JRE 1.4.2 Update10
Sun JRE 1.4.2 Update11
Sun JRE 1.4.2 Update12
Sun JRE 1.4.2 Update2
Sun JRE 1.4.2 Update3
Sun JRE 1.4.2 Update4
Sun JRE 1.4.2 Update5
Sun JRE 1.4.2 Update8
Sun JRE 1.4.2 Update9
Sun JRE 1.5.0 Update3
Sun JRE 1.5.0 Update5
Sun JRE 1.5.0 Update8
Sun JRE 1.5.0 Update7
Sun JRE 1.5.0
Sun JRE 1.5.0 Update1
Sun JRE 1.5.0 Update2
Sun JRE 1.5.0 Update4
Sun JRE 1.5.0 Update6
Sun JSSE 1.0.3
Sun JSSE 1.0.3_01
Sun JSSE 1.0.3_02
Sun JSSE 1.0.3_03
Sun ONE Web Server 6.0
Sun SDK 1.3.1_01
Sun SDK 1.3.1_01a
Sun SDK 1.3.1_02
Sun SDK 1.3.1_03
Sun SDK 1.3.1_04
Sun SDK 1.3.1_05
Sun SDK 1.3.1_06
Sun SDK 1.3.1_07
Sun SDK 1.3.1_08
Sun SDK 1.3.1_09
Sun SDK 1.3.1_10
Sun SDK 1.3.1_11
Sun SDK 1.3.1_12
Sun SDK 1.3.1_13
Sun SDK 1.3.1_14
Sun SDK 1.3.1_15
Sun SDK 1.3.1_16
Sun SDK 1.3.1_17
Sun SDK 1.3.1_18
Sun SDK 1.3.1_19
Sun SDK 1.4.2
Sun SDK 1.4.2_01
Sun SDK 1.4.2_02
Sun SDK 1.4.2_03
Sun SDK 1.4.2_04
Sun SDK 1.4.2_05
Sun SDK 1.4.2_06
Sun SDK 1.4.2_07
Sun SDK 1.4.2_08
Sun SDK 1.4.2_09
Sun SDK 1.4.2_10
Sun SDK 1.4.2_11
Sun SDK 1.4.2_12
Sun Secure Global Desktop 4.2 Enterprise
Sun Solaris 10 x86
Sun Solaris 10 SPARC
Sun Solaris 8 SPARC
Sun Solaris 9 x86
Sun Solaris 9 SPARC
Sun Solaris x86
SuSE Linux Enterprise Server 8
SUSE SuSE Linux 10.0
SUSE SuSE Linux 10.1
SUSE SuSE Linux 9.0
SUSE SuSE Linux 9.2
SUSE SuSE Linux 9.3
SuSE SuSE Linux OpenExchange Server 4
SuSE SuSE Linux Retail Solution 8
SuSE SuSE Linux School Server
SuSE SuSE Linux Standard Server 8
SuSE SuSE SLED 10
SuSE SuSE SLES 10
SuSE SuSE SLES 9
Turbolinux Turbolinux 10 Desktop
Turbolinux Turbolinux 10 F...
Turbolinux Turbolinux 10 Server
Turbolinux Turbolinux 10 Server x64 Ed
Turbolinux Turbolinux 7 Server
Turbolinux Turbolinux 8 Server
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux Home
Turbolinux Turbolinux Multimedia
Turbolinux Turbolinux Personal
Turbolinux Turbolinux Appliance Server 1.0 Hosting Ed
Turbolinux Turbolinux Appliance Server 1.0 Workgroup Ed
Turbolinux Turbolinux Appliance Server 2.0
VMware Server 1.0
VMware Server 1.0.1
VMware Server 1.0.2
VMware Server 1.0.3
VMware Server 1.0.4
VMware Workstation 6.0
VMware Workstation 6.0.1
VMware Workstation 6.0.2

Reported:

Sep 05, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia? integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force? research and development team ? an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.