SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
SecurityTracker Alert ID:  1030337
SecurityTracker URL:  http://securitytracker.com/id/1030337
CVE Reference:   CVE-2014-0195, CVE-2014-0221   (Links to External Site)
Date:  Jun 5 2014
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8za, 1.0.0m, 1.0.1h
Description:   Two vulnerabilities were reported in OpenSSL. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.

A remote user can send specially crafted DTLS fragments to the target DTLS client or server to trigger a buffer overflow and execute arbitrary code on the target system [CVE-2014-0195]. Only applications using OpenSSL as a DTLS client or server are affected.

The vendor was notified on April 23, 2014.

Juri Aedla reported this vulnerability (via HP's ZDI).

A remote server can send a specially crafted DTLS handshake to the target DTLS client to trigger a recursion flaw and cause the target service to crash [CVE-2014-0221]. Only applications using OpenSSL as a DTLS client are affected.

The vendor was notified on May 9, 2014.

Imre Rad (Search-Lab Ltd.) reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause the target service to crash.

Solution:   The vendor has issued a fix (0.9.8za, 1.0.0m, 1.0.1h).

The vendor's advisory is available at:

http://www.openssl.org/news/secadv_20140605.txt

Vendor URL:  www.openssl.org/news/secadv_20140605.txt (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 5 2014 (Red Hat Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6.
Jun 5 2014 (FreeBSD Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
FreeBSD has issued a fix for FreeBSD 8.4, 9.1, 9.2, and 10.0.
Jun 5 2014 (Ubuntu Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu 10.04 LTS, 12.04 LTS, 13.10, and 14.04 LTS.
Jun 5 2014 (Debian Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
Debian has issued a fix.
Jun 5 2014 (Red Hat Issues Fix for Red Hat Storage) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Storage.
Jun 10 2014 (NetBSD Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
NetBSD has issued a fix 5.1, 5.2, 6.0, and 6.1.
Jun 11 2014 (Red Hat Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Jun 11 2014 (VMware Issues Fix for ESXi) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
VMware has issued a fix for VMware ESXi 5.0, 5.1, and 5.5.
Jun 12 2014 (Stunnel Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
Stunnel has issued a fix.
Jun 13 2014 (VMware Issues Fix for vCenter) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
VMware has issued a fix for VMware vCenter Server.
Jun 18 2014 (HP Issues Fix for OpenVMS) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
HP has issued a fix for OpenVMS.
Jun 27 2014 (Oracle Issues Fix for Solaris) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
Oracle has issued a fix for Solaris 11.1.
Aug 14 2014 (Red Hat Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 5.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC