OpenSSL Remote Denial of Service Vulnerability (CVE-2014-3509)

OpenSSL Remote Denial of Service Vulnerability (CVE-2014-3509)

Release date:
Updated on:

Affected Systems:
OpenSSL Project OpenSSL <1.0.1i
Description:
--------------------------------------------------------------------------------
Bugtraq id: 69084
CVE (CAN) ID: CVE-2014-3509
 
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
 
OpenSSL ssl_parse_serverhello_tlsext has a race condition vulnerability. If a multi-threaded client uses a recovered session to connect to a malicious server and the server sends an ec point format extension, 255 bytes can be written to the released memory. Attackers can exploit this vulnerability to cause DoS attacks.

OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)

Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian

OpenSSL "heartbleed" Security Vulnerability

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
 
<* Source: Gabor Tyukasz

Link: http://www.openssl.org/news/secadv_20140806.txt
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
OpenSSL Project
---------------
OpenSSL projecthas published a Security Bulletin Board (secadv_20140806.txt) and corresponding patches for this purpose:
Secadv_20140806.txt: OpenSSL Security Advisory [6 Aug 2014]
Link: http://www.openssl.org/news/secadv_20140806.txt

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: