CVE-2014-3567

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.

References

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc

http://advisories.mageia.org/MGASA-2014-0416.html

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc

http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html

http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html

http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

http://marc.info/?l=bugtraq&m=141477196830952&w=2

http://marc.info/?l=bugtraq&m=142103967620673&w=2

http://marc.info/?l=bugtraq&m=142118135300698&w=2

http://marc.info/?l=bugtraq&m=142495837901899&w=2

http://marc.info/?l=bugtraq&m=142624590206005&w=2

http://marc.info/?l=bugtraq&m=142791032306609&w=2

http://marc.info/?l=bugtraq&m=142804214608580&w=2

http://marc.info/?l=bugtraq&m=142834685803386&w=2

http://marc.info/?l=bugtraq&m=143290437727362&w=2

http://marc.info/?l=bugtraq&m=143290522027658&w=2

http://marc.info/?l=bugtraq&m=143290583027876&w=2

http://rhn.redhat.com/errata/RHSA-2014-1652.html

http://rhn.redhat.com/errata/RHSA-2014-1692.html

http://rhn.redhat.com/errata/RHSA-2015-0126.html

http://secunia.com/advisories/59627

http://secunia.com/advisories/61058

http://secunia.com/advisories/61073

http://secunia.com/advisories/61130

http://secunia.com/advisories/61207

http://secunia.com/advisories/61298

http://secunia.com/advisories/61819

http://secunia.com/advisories/61837

http://secunia.com/advisories/61959

http://secunia.com/advisories/61990

http://secunia.com/advisories/62030

http://secunia.com/advisories/62070

http://secunia.com/advisories/62124

http://security.gentoo.org/glsa/glsa-201412-39.xml

http://support.apple.com/HT204244

http://www.debian.org/security/2014/dsa-3053

http://www.mandriva.com/security/advisories?name=MDVSA-2014:203

http://www.mandriva.com/security/advisories?name=MDVSA-2015:062

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.securityfocus.com/bid/70586

http://www.securitytracker.com/id/1031052

http://www.splunk.com/view/SP-CAAANST

http://www.ubuntu.com/usn/USN-2385-1

http://www-01.ibm.com/support/docview.wss?uid=swg21686997

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7fd4ce6a997be5f5c9e744ac527725c2850de203

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380

https://kc.mcafee.com/corporate/index?page=content&id=SB10091

https://support.apple.com/HT205217

https://support.citrix.com/article/CTX216642

https://www.openssl.org/news/secadv_20141015.txt

Details

Source: MITRE

Published: 2014-10-19

Updated: 2017-11-15

Type: CWE-20

Risk Information

CVSS v2

Base Score: 7.1

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 8.6

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 0.9.8zb (inclusive)

cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0n:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*

Tenable Plugins

View all (46 total)

IDNameProductFamilySeverity
125000EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547)NessusHuawei Local Security Checks
medium
89651openSUSE Security Update : libopenssl0_9_8 (openSUSE-2016-294) (DROWN) (FREAK) (POODLE)NessusSuSE Local Security Checks
critical
86245Apple Xcode < 7.0 (Mac OS X) (POODLE)NessusMacOS X Local Security Checks
high
85181HP System Management Homepage < 7.2.5 / 7.4.1 Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
83648SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2014:1524-1) (POODLE)NessusSuSE Local Security Checks
low
83647SUSE SLED12 / SLES12 Security Update : compat-openssl098 (SUSE-SU-2014:1512-1) (POODLE)NessusSuSE Local Security Checks
low
83641SUSE SLES10 Security Update : OpenSSL (SUSE-SU-2014:1387-1) (POODLE)NessusSuSE Local Security Checks
low
82315Mandriva Linux Security Advisory : openssl (MDVSA-2015:062)NessusMandriva Local Security Checks
high
82226Debian DLA-81-1 : openssl security updateNessusDebian Local Security Checks
high
81651Apache Tomcat 8.0.x < 8.0.15 Multiple Vulnerabilities (POODLE)NessusWeb Servers
high
81650Apache Tomcat 7.0.x < 7.0.57 Multiple Vulnerabilities (POODLE)NessusWeb Servers
high
81649Apache Tomcat 6.0.x < 6.0.43 Multiple Vulnerabilities (POODLE)NessusWeb Servers
high
81200RHEL 6 : rhev-hypervisor6 (RHSA-2015:0126) (GHOST)NessusRed Hat Local Security Checks
medium
81146VMware Security Updates for vCenter Server (VMSA-2015-0001) (POODLE)NessusMisc.
medium
81088Mac OS X Multiple Vulnerabilities (Security Update 2015-001) (POODLE)NessusMacOS X Local Security Checks
critical
81087Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)NessusMacOS X Local Security Checks
critical
81085ESXi 5.5 < Build 2352327 Multiple Vulnerabilities (remote check) (POODLE)NessusMisc.
medium
81079VMSA-2015-0001 : VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues (POODLE)NessusVMware ESX Local Security Checks
low
80912Oracle Secure Global Desktop Multiple Vulnerabilities (January 2015 CPU) (POODLE)NessusMisc.
medium
80885IBM General Parallel File System Multiple Vulnerabilities (Windows) (POODLE)NessusWindows
medium
80725Oracle Solaris Third-Party Patch Update : openssl (multiple_vulnerabilities_in_openssl6) (POODLE)NessusSolaris Local Security Checks
medium
80303Tenable SecurityCenter Multiple DoS (TNS-2014-11)NessusMisc.
high
80257F5 Networks BIG-IP : OpenSSL vulnerability (SOL15723)NessusF5 Networks Local Security Checks
high
80244GLSA-201412-39 : OpenSSL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
79723Splunk Enterprise 6.0.x < 6.0.7 Multiple Vulnerabilities (POODLE)NessusCGI abuses
medium
79721Splunk Enterprise 5.0.x < 5.0.11 Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
79547OracleVM 3.3 : openssl (OVMSA-2014-0032) (Heartbleed) (POODLE)NessusOracleVM Local Security Checks
high
79269openSUSE Security Update : openssl (openSUSE-SU-2014:1426-1) (POODLE)NessusSuSE Local Security Checks
low
79060RHEL 6 : Storage Server (RHSA-2014:1692) (POODLE)NessusRed Hat Local Security Checks
low
78886SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 9915)NessusSuSE Local Security Checks
high
78772AIX OpenSSL Advisory : openssl_advisory11.asc (POODLE)NessusAIX Local Security Checks
high
78733openSUSE Security Update : openssl (openSUSE-SU-2014:1331-1) (POODLE)NessusSuSE Local Security Checks
low
78665Mandriva Linux Security Advisory : openssl (MDVSA-2014:203)NessusMandriva Local Security Checks
high
78584stunnel < 5.06 OpenSSL Multiple Vulnerabilities (POODLE)NessusWindows
medium
78554OpenSSL 1.0.1 < 1.0.1j Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
78553OpenSSL 1.0.0 < 1.0.1o Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
78552OpenSSL 0.9.8 < 0.9.8zc Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
78538Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : openssl vulnerabilities (USN-2385-1)NessusUbuntu Local Security Checks
high
78537Scientific Linux Security Update : openssl on SL6.x, SL7.x i386/x86_64 (20141016) (POODLE)NessusScientific Linux Local Security Checks
low
78532RHEL 6 / 7 : openssl (RHSA-2014:1652) (POODLE)NessusRed Hat Local Security Checks
low
78529Oracle Linux 6 / 7 : openssl (ELSA-2014-1652) (POODLE)NessusOracle Linux Local Security Checks
low
78520Debian DSA-3053-1 : openssl - security update (POODLE)NessusDebian Local Security Checks
low
78516CentOS 6 / 7 : openssl (CESA-2014:1652)NessusCentOS Local Security Checks
high
78495FreeBSD : OpenSSL -- multiple vulnerabilities (03175e62-5494-11e4-9cc1-bc5ff4fb5e7b) (POODLE)NessusFreeBSD Local Security Checks
low
78485Amazon Linux AMI : openssl (ALAS-2014-427)NessusAmazon Linux Local Security Checks
high
78483Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssl (SSA:2014-288-01) (POODLE)NessusSlackware Local Security Checks
low