March 2015 OpenSSL Security Advisory (Multiple CVE’s)

  • 7016336
  • 19-Mar-2015
  • 19-Mar-2015


Novell GroupWise
Novell Messenger
Novell iPrint for Linux
Novell Filr
Novell Vibe OnPrem
Novell Open Enterprise Server 11 (OES 11) Linux
Novell iPrint for Linux
Novell ZENworks Configuration Management


On March 19th 2015, the OpenSSL project published a security advisory listing 14 vulnerabilities that had been found and fixed in the OpenSSL library. Patched versions of the library were made available concurrent with the announcement.


All Novell products will be patched to include the latest version of the OpenSSL library (0.9.8zf or 1.0.1m).
Information about patches will be forthcoming.

Additional Information

We provide the following breakdown of the vulnerabilities in the security advisory in order to help you better understand the impact on Novell products. Of the 14 vulnerabilities reported there is 1 vulnerability with moderate impact to Novell products and 1 vulnerability with low impact. 2 of the 14 vulnerabilities have already been addressed or fixed in previous Novell updates. The remaining 10 vulnerabilities do not impact Novell products because they either apply to versions of OpenSSL that Novell products do not use OR apply to functionality that Novell products do not use.

Moderate Impact
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
An attacker with a specially crafted certificate could cause a Novell server or client to crash while validating the certificate. Novell products may be vulnerable under one of the following scenarios:
1. The attacker can specify the certificate as a client certificate for an SSL/TLS connection. The server must support client certificates
2. If the attacker can coax the server into making an SSL/TLS connection to a resource that they control.
3. If the attacker has a privileged network position and can spoof the IP address of a known entity that the target attempts to connect to via SSL/TLS and presents the invalid certificate.

Low Impact
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
[Low] A successful exploit of this vulnerability requires the target code to process private keys from untrusted sources. Several Novell products process private keys, it is always in the context of an authenticated administrator. Although it is theoretically possible for an attacker to compromise an administrator account and exploit this vulnerability, it is unlikely that a successful attack would give the attacker more privilege than they already had with the compromised administrator account.

Previously Fixed
CVE-2015-0204 - Reclassified: RSA silently downgrades to EXPORT_RSA [Client]
Previously reported in January Security advisory. See Novell TID: CVE-2015-0204 OpenSSL Vulnerability aka “FREAK”
CVE-2015-0292 - Base64 decode
[Low] This was previously reported and has been fixed since 1.0.1h and 0.9.8za. All Novell products already incorporate these fixes.

Not Applicable by Version
The OpenSSL project maintains 4 different feature branches of the OpenSSL library: 0.9.8, 1.0.0, 1.0.1 and 1.0.2. All Novell products consume either the 0.9.8 or 1.0.1 versions of the library. As such vulnerabilities that apply only to the 1.0.0 or 1.0.2 versions of the library have NO impact on Novell products. The following six of the fourteen vulnerabilities reported in the security advisory only impact the 1.0.2 version of the library and have no impact on Novell products:
CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS
CVE-2015-0290 - Multiblock corrupted pointer
CVE-2015-0207 - Segmentation fault in DTLSv1_listen
CVE-2015-0208 - Segmentation fault for invalid PSS parameters
CVE-2015-1787 - Empty CKE with client auth and DHE
CVE-2015-0285 - Handshake with unseeded PRNG

Not Applicable by Functionality
Novell products do not consume the functionality from the OpenSSL library and are therefore not susceptible to the following 3 vulnerabilities:
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences
CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref

Not Applicable by Configuration
The following defects are not applicable to Novell products because the default (and in some cases hard-coded) configuration eliminates the pre-requisites for exploiting the vulnerability:
CVE-2015-0293 - DoS via reachable assert in SSLv2 servers
[Low] In order to trigger this vulnerability the server must support SSLv2 and export cipher suites. 

All Novell products are configured to disallow SSLv2 and disallow the export cipher suites. As such, Novell products are not affected by this vulnerability.