CVE-2014-0076
CVE-2013-0169
CVE-2013-0166
CVE-2012-2333
CVE-2012-2110
CVE-2012-1165
CVE-2012-0884
CVE-2012-0027
CVE-2011-4619
CVE-2011-4577
CVE-2011-4576
CVE-2011-4109
CVE-2011-4108
CVE-2011-3210
CVE-2006-7250
CVE-2014-0076 : This vulnerability is linked specifically to OpenSSL's ECDSA implementation and the availability of the x86 architecture's memory via a local user. No console access is allowed that would negate any attempt to exploit this vulnerability.
CVE-2013-0169 : Version of OpenSSL does not apply to the TLS part of this vulnerability, additionally DTLS is not used in TPAM.
CVE-2013-0166 : This vulnerability can cause a Denial-of-Service based on sending an OCSP signature verification to a malicious responder. Only TPAM version 2.5.915 is susceptible to such Denial-of-Service if certificate authentication is used and revocation checking is turned on. By default revocation is not enabled for certificate authentication. Workaround is to disable certificate revocation checking, upgrade to TPAM version 2.5.916+, or verify the signing certificate authority is trusted and not compromised.
CVE-2012-2333 : This vulnerability relies on a flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS which can be exploited to cause a denial of service attack on both clients and servers. DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 and later. TPAM is not susceptible based on OpenSSL version and no DTLS usage.
CVE-2012-2110 : This vulnerability is specific to applications using the function asn1_d2i_read_bio to read untrusted DER formatted data. SSL/TLS is not affected and TPAM does not use this function.
CVE-2012-1165 : This vulnerability is based on crafting a S/MIME message in a way to perform a Denial-of-Service attack. TPAM does not employ any services that process MIME messages or rely on OpenSSL.
CVE-2012-0884 : SSL/TLS operations are not affected by this vulnerability, only certain decryption operations which are not used in any context of this CVE.
CVE-2012-0027 : This vulnerability requires that OpenSSL GOST ENGINE's engine be enabled in order to create a Denial-of-Service attack. The GOST ENGINE is not enabled.
CVE-2011-4619 : This vulnerability relies on Server Gated Cryptography being available and supported to create a Denial-of-Service. No TPAM service listeners rely on OpenSSL.
CVE-2011-4577 : This vulnerability depends on RFC 3779 being configured for OpenSSL builds, which is disabled by default. The "enable-rfc3779" flag was not used for OpenSSL in TPAM and is not susceptible to such vulnerability.
CVE-2011-4576 : This vulnerability exposes at max 15 bytes of encrypted data, which is limited further by SSL_MODE_RELEASE_BUFFERS having a single write buffer per connection. This in turn leaks only data that whose record is longer than the previous record. Furthermore, the SSL 3.0 is only susceptible to this and can be fully mitigated by having all TPAM targets not use SSL 3.0. Any information leak would exist on the target side of TPAM, meaning TPAM itself may only employ SSL 3.0 as a client to a managed system that requests SSL 3.0.
CVE-2011-4109 : This vulnerability exploits OpenSSL certificate policy checking when the X509_V_FLAG_POLICY_CHECK flag is set. By default it is not set and not used in TPAM.
CVE-2011-4108 : This vulnerabilty exploits the OpenSSL DTLS implementation, which no service listeners on TPAM employs.
CVE-2011-3210 : This vulnerability is susceptible when handshake messages from clients violate TLS protocol and create a denial of service. No TPAM service listeners rely on OpenSSL.
CVE-2006-7250 : This vulnerability is based on crafting a S/MIME message in a way to perform a Denial-of-Service attack. TPAM does not employ any services that process MIME messages or rely on OpenSSL.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center