| Vulnerability Name | Max CVSS | Published | Fix Available in OpenVMS Version | Description |
|---|---|---|---|---|
| CVE-2017-17482 | 7.8 | 2/7/2018 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | An issue was discovered in OpenVMS through V8.4-2L2 on Alpha and through V8.4-2L1 on IA64, and VAX/VMS 4.0 and later. A malformed DCL command table may result in a buffer overflow allowing a local privilege escalation when a non-privileged account enters a crafted command line. This bug is exploitable on VAX and Alpha and may cause a process crash on IA64. Software was affected regardless of whether it was directly shipped by VMS Software, Inc. (VSI), HPE, HP, Compaq, or Digital Equipment Corporation. |
| CVE-2012-3277 | 5 | 12/13/2012 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform and 7.3-2, 8.2, 8.3, and 8.4 on the Alpha platform does not properly implement the LOGIN and ACME_SERVER ACMELOGIN programs, which allows remote attackers to cause a denial of service via unspecified vectors. |
| CVE-2012-3276 | 2.1 | 12/13/2012 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform and 7.3-2, 8.2, 8.3, and 8.4 on the Alpha platform does not properly implement the LOGIN and ACME_SERVER ACMELOGIN programs, which allows local users to cause a denial of service via unspecified vectors. |
| CVE-2012-2010 | 6.9 | 5/18/2012 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | The ACMELOGIN implementation in HP OpenVMS 8.3 and 8.4 on the Alpha platform, and 8.3, 8.3-1H1, and 8.4 on the Itanium platform, when the SYS$ACM system service is enabled, allows local users to gain privileges via unspecified vectors. |
| CVE-2012-0134 | 4.9 | 4/19/2012 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Unspecified vulnerability in HP OpenVMS 7.3-2 on the Alpha platform, 8.3 and 8.4 on the Alpha and IA64 platforms, and 8.3-1h1 on the IA64 platform allows local users to cause a denial of service via unknown vectors. |
| CVE-2010-4110 | 5.7 | 12/22/2010 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Unspecified vulnerability in HP OpenVMS 8.3, 8.3-1H1, and 8.4 on the Itanium platform on Integrity servers allows local users to gain privileges or cause a denial of service via unknown vectors. |
| CVE-2010-1973 | 6.8 | 7/22/2010 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Unspecified vulnerability in the Auditing subsystem in HP OpenVMS 8.3, 8.2, 7.3-2, and earlier on the ALPHA platform, and 8.3-1H1, 8.3, 8.2-1, and earlier on the Itanium platform, allows local users to gain privileges or obtain sensitive information via unknown vectors. |
| CVE-2010-2612 | 2.1 | 7/2/2010 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Unspecified vulnerability in the HP OpenVMS Auditing feature in OpenVMS ALPHA 7.3-2, 8.2, and 8.3; and OpenVMS for Integrity Servers 8.3 AND 8.3-1H1; allows local users to obtain sensitive information via unknown vectors. |
| CVE-2008-4052 | 7.2 | 9/11/2008 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Stack-based buffer overflow in SMGSHR.EXE in OpenVMS for Integrity Servers 8.2-1, 8.3, and 8.3-1H1 and OpenVMS ALPHA 7.3-2, 8.2, and 8.3 allows local users to cause a denial of service (crash) or gain privileges via unspecified vectors. |
| CVE-2008-3947 | 7.2 | 9/5/2008 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | DCL (aka the CLI) in OpenVMS Alpha 8.3 allows local users to gain privileges via a long command line. |
| CVE-2007-5241 | 5 | 10/6/2007 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Buffer overflow in NET$CSMACD.EXE in HP OpenVMS 8.3 and earlier allows local users to cause a denial of service (machine crash) via the “MCR MCL SHOW CSMA-CD Port * All” command, which overwrites a Non-Paged Pool Packet. |
| CVE-2007-5242 | 4.3 | 10/6/2007 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Unspecified vulnerability in (1) SYS$EI1000.EXE and (2) SYS$EI1000_MON.EXE in HP OpenVMS 8.3 and earlier allows remote attackers to cause a denial of service (machine crash) via an “oversize” packet, which is not properly discarded if “the device has no remaining buffers after receipt of the first buffer segment.” |
| CVE-2007-3729 | 5 | 7/12/2007 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | The default configuration of the POP server in TCP/IP Services 5.6 for HP OpenVMS 8.3 generates different responses depending on whether or not a username is valid, which allows remote attackers to enumerate valid POP usernames. |
| CVE-2007-3730 | 5 | 7/12/2007 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | The default configuration of the POP server in TCP/IP Services 5.6 for HP OpenVMS 8.3 does not log the source IP address or attempted username for login attempts, which might help remote attackers to avoid identification. |
| CVE-2007-2998 | 4.9 | 6/4/2007 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | The Pascal run-time library (PAS$RTL.EXE) before 20070418 on OpenVMS for Integrity Servers 8.3, and PAS$RTL.EXE before 20070419 on OpenVMS Alpha 8.3, does not properly restore PC and PSL values, which allows local users to cause a denial of service (system crash) via certain Pascal code. |
| CVE-2007-2468 | 4.9 | 5/2/2007 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Unspecified vulnerability in HP OpenVMS for Integrity Servers 8.2-1 and 8.3 allows local users to cause a denial of service (crash) via “Program actions relating to exceptions.” |
| CVE-2006-3686 | 5 | 7/21/2006 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Unspecified vulnerability in [SYSEXE]SMPUTIL.EXE in HP OpenVMS 7.3-2 allows local users and “remote users” to cause a denial of service (crash). |
| CVE-2005-0652 | 2.1 | 5/2/2005 | 8.4-2L2 for Alpha /8.4-2L3 for IA64 | Unknown vulnerability in HP OpenVMS VAX 7.x and 6.x and OpenVMS Alpha 7.x or 6.x allows local users to access privileged files. |
CVEs
This page contains a list of fixed security vulnerabilities discovered in OpenVMS and other products supported by VMS Software; legacy information is provided by cvedetails.com. New vulnerabilities will be added to the end of the list as they are reported to and fixed by VMS Software.