KB Article #177255

CVE-2015-1793 and SecureTransport

CVE-2015-1793 has been reported against OpenSSL.

As some of ST versions utilize OpenSSL, the purpose of this article is to present the results of vulnerability analysis for currently supported branches of SecureTransport (ST).

The table below shows SecureTransport versions state in regard of CVE-2015-1793 :

ST versionState of vulnerability OpenSSL version used
5.0not vulnerablebased on OpenSSL 0.9.8e
5.1.xnot vulnerablebased on OpenSSL 0.9.8e
5.2.xnot vulnerabledoesn’t use OpenSSL
5.3not vulnerabledoesn’t use OpenSSL

A bit more detail about CVE-2015-1793:

The reported CVE-2015-1793 is not a protocol vulnerability.

It causes the OpenSSL verification mechanism to fail to detect that an intermediate certificate has a CA=FALSE constraint and validate a certificate issued by it. OpenSSL is only affected in cases where alternate verification chain is being followed. This is OpenSSL specific vulnerability that only concerns specific versions (listed in CVE-2015-1793) and only when a specific path is followed (OpenSSL is only affected in cases where alternate verification chain is being followed).
In short vulnerability consists of X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints CA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

The announcements from OpenSSL




state that the defect fixed in 1.0.1p is not applicable for the 0.9.8 releases, utilized by some of the ST versions in question.

In conclusion none of currently supported branches of ST is affected by CVE-2015-1793