SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
SecurityTracker Alert ID:  1030693
SecurityTracker URL:  http://securitytracker.com/id/1030693
CVE Reference:   CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139   (Links to External Site)
Date:  Aug 7 2014
Impact:   Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, Modification of system information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zb, 1.0.0n, 1.0.1i
Description:   Several vulnerabilities were reported in OpenSSL. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions. A user can obtain potentially sensitive information.

Applications using OpenSSL that print may leak some stack contents to the application [CVE-2014-3508]. The OpenSSL client and server are not affected. Ivan Fratric (Google) reported this vulnerability on June 19, 2014.


A remote server can send a specially crafted ec point format extension to the target multithreaded client via a resumed session to trigger a race condition in ssl_parse_serverhello_tlsext and write to freed memory [CVE-2014-3509]. Version 1.0.0 and 1.0.1 clients are affected. Gabor Tyukasz (LogMeIn Inc) reported this vulnerability on July 8, 2014.

A remote user can send specially crafted DTLS packets to trigger a double free memory error and deny service on the target system [CVE-2014-3505]. Adam Langley and Wan-Teh Chang (Google) reported this vulnerability on June 6, 2014.

A remote user can send specially crafted data to trigger a DTLS handshake processing flaw and consume excessive memory resources on the target system [CVE-2014-3506]. Adam Langley (Google) reported this vulnerability on June 6, 2014.

A remote user can send specially crafted zero-length DTLS fragments to trigger a memory leak [CVE-2014-3507]. Adam Langley (Google) reported this vulnerability on June 6, 2014.

A remote server can specify an anonymous EC(DH) ciphersuite to trigger a null pointer dereference in the target DTLS client and cause the client to crash [CVE-2014-3510]. Felix Grobert (Google) reported this vulnerability on July 18, 2014.

A remote user in a privileged network position can cause a target user's ClientHello message to be fragmented to trigger a flaw in the server code and force a downgrade to TLS 1.0 [CVE-2014-3511]. Version 1.0.1 is affected. David Benjamin and Adam Langley (Google) reported this vulnerability on July 21, 2014.

A remote user can send specially crafted SRP data to trigger a buffer overflow and potentially execute arbitrary code on the target system [CVE-2014-3512]. Version 1.0.1 is affected. Sean Devlin and Watson Ladd (Cryptography Services, NCC
Group) reported this vulnerability on July 31, 2014.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause denial of service conditions.

A user can obtain potentially sensitive information from the stack.

Solution:   The vendor has issued a fix (0.9.8zb, 1.0.0n, 1.0.1i).

The vendor's advisory is available at:

http://www.openssl.org/news/secadv_20140806.txt

Vendor URL:  www.openssl.org/news/secadv_20140806.txt (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, Resource error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 7 2014 (Ubuntu Issues Fix) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS.
Aug 13 2014 (Red Hat Issues Fix) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Aug 14 2014 (Red Hat Issues Fix) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Aug 14 2014 (Red Hat Issues Fix for Red Hat Storage) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Storage 2.1.
Aug 15 2014 (Splunk Issues Fix for Splunk Enterprise) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
Splunk has issued a fix for Splunk Enterprise.
Aug 27 2014 (NetBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Sep 5 2014 (NetBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Sep 10 2014 (FreeBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
FreeBSD has issued a fix.
Sep 10 2014 (IBM Issues Fix for IBM AIX) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM AIX 5.3, 6.1, and 7.1.
Sep 15 2014 (HP Issues Fix for OpenVMS) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
HP has issued a fix for OpenVMS.
Sep 16 2014 (Oracle Issues Fix for Solaris) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle Solaris 10 and 11.2.
Sep 17 2014 (Red Hat Issues Fix for JBoss) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for JBoss.
Oct 9 2014 (McAfee Issues Fix for ePolicy Orchestrator) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
McAfee has issued a fix for CVE-2014-3511 for McAfee ePolicy Orchestrator.
Jan 26 2015 (HP Issues Fix for HP Service Manager) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
HP has issued a fix for HP Service Manager.
Jan 30 2015 (HP Issues Fix for HP Insight Control for Linux) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
HP has issued a fix for HP Insight Control for Linux CMS Preboot Execution Environment.
May 29 2015 (HP Issues Fix for HP Systems Insight Manager) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
HP has issued a fix for HP Systems Insight Manager.
May 29 2015 (HP Issues Fix for HP Insight Control) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
HP has issued a fix for HP Insight Control.
Sep 15 2016 (Citrix Issues Fix for Citrix NetScaler) OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code
Citrix has issued a fix for Citrix NetScaler.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2018, SecurityGlobal.net LLC