OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
|
SecurityTracker Alert ID: 1031053 |
SecurityTracker URL: http://securitytracker.com/id/1031053
|
CVE Reference:
CVE-2014-3568
(Links to External Site)
|
Date: Oct 15 2014
|
Impact:
Host/resource access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to versions 0.9.8zc, 1.0.0o, 1.0.1j
|
Description:
A vulnerability was reported in OpenSSL. A remote user can bypass the intended build configuration and use SSL 3.0.
The system does not properly enforce the 'no-ssl3' build option. A server built with this option may accept SSL 3.0 sessions. A client built with this option may generate SSL 3.0 sessions.
The vendor was notified on October 14, 2014.
Akamai Technologies reported this vulnerability.
|
Impact:
A remote user can bypass the intended build configuration and use SSL 3.0.
|
Solution:
The vendor has issued a fix (0.9.8zc, 1.0.0o, 1.0.1j).
The vendor's advisory is available at:
https://www.openssl.org/news/secadv_20141015.txt
|
Vendor URL: www.openssl.org/news/secadv_20141015.txt (Links to External Site)
|
Cause:
Configuration error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
Oct 22 2014 |
(FreeBSD Issues Fix) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
FreeBSD has issued a fix for FreeBSD 8.4, 9.1, 9.2, 9.3, 10.0, and 10.1.
|
Oct 30 2014 |
(HP Issues Fix for HP-UX) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
|
Nov 3 2014 |
(NetBSD Issues Fix) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
|
Feb 27 2015 |
(VMware Issues Fix for VMware ESXi) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
VMware has issued a fix for VMware ESXi 5.0, 5.1, and 5.5.
|
May 29 2015 |
(HP Issues Fix for HP Systems Insight Manager) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
HP has issued a fix for HP Systems Insight Manager.
|
May 29 2015 |
(HP Issues Fix for HP Insight Control) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
HP has issued a fix for HP Insight Control.
|
Jun 5 2015 |
(HP Issues Fix for HP VPN Firewall Module) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
HP has issued a fix for HP VPN Firewall Module and HP VPN Firewall Appliance.
|
Sep 17 2015 |
(Apple Issues Fix for Apple Xcode) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
Apple has issued a fix for Apple Xcode.
|
Sep 15 2016 |
(Citrix Issues Fix for Citrix NetScaler) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
Citrix has issued a fix for Citrix NetScaler.
|
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|