SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
SecurityTracker Alert ID:  1031052
SecurityTracker URL:  http://securitytracker.com/id/1031052
CVE Reference:   CVE-2014-3513, CVE-2014-3567   (Links to External Site)
Date:  Oct 15 2014
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zc, 1.0.0o, 1.0.1j
Description:   Two vulnerabilities were reported in OpenSSL. A remote user can cause denial of service conditions.

A remote user can send a specially crafted handshake message to trigger a memory leak in the DTLS SRTP extension parsing code and cause the target service to fail to free up to 64k of memory [CVE-2014-3513]. Server versions 1.0.1 are affected. Systems are affected even if not configured for SRTP. Systems compiled with OPENSSL_NO_SRTP defined are not affected.

The vendor was notified on September 26, 2014.

The LibreSSL project reported this vulnerability.

A remote user can send a specially crafted session ticket to cause the target service to fail to free memory [CVE-2014-3567].

The vendor was notified on October 8, 2014.

Impact:   A remote user can cause excessive memory consumption on the target system.
Solution:   The vendor has issued a fix (0.9.8zc, 1.0.0o, 1.0.1j).

The vendor's advisory is available at:

https://www.openssl.org/news/secadv_20141015.txt

Vendor URL:  www.openssl.org/news/secadv_20141015.txt (Links to External Site)
Cause:   Resource error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 16 2014 (Red Hat Issues Fix) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Oct 16 2014 (Ubunut Issues Fix) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
Ubuntu has issued a fix for Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS.
Oct 22 2014 (FreeBSD Issues Fix) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
FreeBSD has issued a fix for FreeBSD 8.4, 9.1, 9.2, 9.3, 10.0, and 10.1.
Oct 30 2014 (IBM Issues Fix for IBM AIX) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
IBM has issued a fix for IBM AIX 5.3, 6.1, and 7.1.
Oct 30 2014 (HP Issues Fix for HP-UX) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
Nov 3 2014 (NetBSD Issues Fix) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Feb 27 2015 (VMware Issues Fix for VMware ESXi) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
VMware has issued a fix for VMware ESXi 5.0, 5.1, and 5.5.
Apr 6 2015 (HP Issues Fix for HP BladeSystem c-Class Onboard Administrator) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
HP has issued a fix for HP BladeSystem c-Class Onboard Administrator.
May 29 2015 (HP Issues Fix for HP Insight Control) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
HP has issued a fix for HP Insight Control.
May 29 2015 (HP Issues Fix for HP Systems Insight Manager) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
HP has issued a fix for HP Systems Insight Manager.
May 29 2015 (HP Issues Fix for HP Insight Control) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
HP has issued a fix for HP Insight Control.
Sep 17 2015 (Apple Issues Fix for Apple Xcode) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
Apple has issued a fix for Apple Xcode.
Sep 15 2016 (Citrix Issues Fix for Citrix NetScaler) OpenSSL SRTP and Session Ticket Memory Leaks Let Remote Users Deny Service
Citrix has issued a fix for Citrix NetScaler.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC