Vulnerability Note VU#247744

OpenSSL may fail to properly parse invalid ASN.1 structures

Original Release date: 28 Sep 2006 | Last revised: 09 Feb 2007


A vulnerability in OpenSSL may allow an attacker to create a denial-of-service condition.


OpenSSL is an Open Source toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols.

When parsing certain invalid ASN.1 structures, OpenSSL may mishandle an error condition, resulting in an infinite loop. By triggering the infinite loop, an attacker may be able to create a denial-of-service condition.


A remote, unauthenticated attacker may be able create a denial-of-service condition.


See the systems affected section of this document for information about specific vendors. Users who compile OpenSSL from source are encouraged to apply the updates listed in OpenSSL Security Advisory 20060928.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected-04 Oct 2006
FreeBSD, Inc.Affected-29 Sep 2006
OpenSSLAffected-28 Sep 2006
Red Hat, Inc.Affected-29 Sep 2006
UbuntuAffected-28 Sep 2006
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was reported by the OpenSSL development team in OpenSSL Security Advisory 20060928. The OpenSSL team, in turn, acknowledge Dr. S. N. Henson of Open Network Security and NISCC for funding the ASN.1 test suite project that lead to the discovery of this issue.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2006-2937
  • Date Public: 28 Sep 2006
  • Date First Published: 28 Sep 2006
  • Date Last Updated: 09 Feb 2007
  • Severity Metric: 0.28
  • Document Revision: 31


If you have feedback, comments, or additional information about this vulnerability, please send us email.