SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
SecurityTracker Alert ID:  1031053
SecurityTracker URL:  http://securitytracker.com/id/1031053
CVE Reference:   CVE-2014-3568   (Links to External Site)
Date:  Oct 15 2014
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zc, 1.0.0o, 1.0.1j
Description:   A vulnerability was reported in OpenSSL. A remote user can bypass the intended build configuration and use SSL 3.0.

The system does not properly enforce the 'no-ssl3' build option. A server built with this option may accept SSL 3.0 sessions. A client built with this option may generate SSL 3.0 sessions.

The vendor was notified on October 14, 2014.

Akamai Technologies reported this vulnerability.

Impact:   A remote user can bypass the intended build configuration and use SSL 3.0.
Solution:   The vendor has issued a fix (0.9.8zc, 1.0.0o, 1.0.1j).

The vendor's advisory is available at:

https://www.openssl.org/news/secadv_20141015.txt

Vendor URL:  www.openssl.org/news/secadv_20141015.txt (Links to External Site)
Cause:   Configuration error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 22 2014 (FreeBSD Issues Fix) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
FreeBSD has issued a fix for FreeBSD 8.4, 9.1, 9.2, 9.3, 10.0, and 10.1.
Oct 30 2014 (HP Issues Fix for HP-UX) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
Nov 3 2014 (NetBSD Issues Fix) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Feb 27 2015 (VMware Issues Fix for VMware ESXi) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
VMware has issued a fix for VMware ESXi 5.0, 5.1, and 5.5.
May 29 2015 (HP Issues Fix for HP Systems Insight Manager) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
HP has issued a fix for HP Systems Insight Manager.
May 29 2015 (HP Issues Fix for HP Insight Control) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
HP has issued a fix for HP Insight Control.
Jun 5 2015 (HP Issues Fix for HP VPN Firewall Module) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
HP has issued a fix for HP VPN Firewall Module and HP VPN Firewall Appliance.
Sep 17 2015 (Apple Issues Fix for Apple Xcode) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
Apple has issued a fix for Apple Xcode.
Sep 15 2016 (Citrix Issues Fix for Citrix NetScaler) OpenSSL 'no-ssl3' Build Option Fails to Prevent SSL 3.0 Handshakes
Citrix has issued a fix for Citrix NetScaler.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC