OpenSSL Remote Denial of Service Vulnerability (CVE-2014-3509)
Release date:
Updated on:
Affected Systems:
OpenSSL Project OpenSSL <1.0.1i
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69084
CVE (CAN) ID: CVE-2014-3509
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
OpenSSL ssl_parse_serverhello_tlsext has a race condition vulnerability. If a multi-threaded client uses a recovered session to connect to a malicious server and the server sends an ec point format extension, 255 bytes can be written to the released memory. Attackers can exploit this vulnerability to cause DoS attacks.
OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)
Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian
OpenSSL "heartbleed" Security Vulnerability
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
<* Source: Gabor Tyukasz
Link: http://www.openssl.org/news/secadv_20140806.txt
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
OpenSSL Project
---------------
OpenSSL projecthas published a Security Bulletin Board (secadv_20140806.txt) and corresponding patches for this purpose:
Secadv_20140806.txt: OpenSSL Security Advisory [6 Aug 2014]
Link: http://www.openssl.org/news/secadv_20140806.txt
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: