CVE-2012-0884

Description

The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack.

How to fix CVE-2012-0884

To remediate CVE-2012-0884, upgrade the affected package to a fixed version below.

• Debian/openssl—upgrade to 1.0.0h-1 or later

Is CVE-2012-0884 being exploited?

Low — EPSS is 2.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.0.0h-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-0884