CVE-2014-3568

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.

References

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc

http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html

http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html

http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

http://marc.info/?l=bugtraq&m=141477196830952&w=2

http://marc.info/?l=bugtraq&m=142103967620673&w=2

http://marc.info/?l=bugtraq&m=142495837901899&w=2

http://marc.info/?l=bugtraq&m=142624590206005&w=2

http://marc.info/?l=bugtraq&m=142791032306609&w=2

http://marc.info/?l=bugtraq&m=142804214608580&w=2

http://marc.info/?l=bugtraq&m=143290437727362&w=2

http://marc.info/?l=bugtraq&m=143290522027658&w=2

http://secunia.com/advisories/59627

http://secunia.com/advisories/61058

http://secunia.com/advisories/61073

http://secunia.com/advisories/61130

http://secunia.com/advisories/61207

http://secunia.com/advisories/61819

http://secunia.com/advisories/61959

http://secunia.com/advisories/62030

http://secunia.com/advisories/62070

http://secunia.com/advisories/62124

http://security.gentoo.org/glsa/glsa-201412-39.xml

http://support.apple.com/HT204244

http://www.debian.org/security/2014/dsa-3053

http://www.securityfocus.com/bid/70585

http://www.securitytracker.com/id/1031053

http://www-01.ibm.com/support/docview.wss?uid=swg21686997

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6

https://exchange.xforce.ibmcloud.com/vulnerabilities/97037

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=26a59d9b46574e457870197dffa802871b4c8fc7

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380

https://kc.mcafee.com/corporate/index?page=content&id=SB10091

https://support.apple.com/HT205217

https://support.citrix.com/article/CTX216642

https://www.openssl.org/news/secadv_20141015.txt

Details

Source: MITRE

Published: 2014-10-19

Updated: 2017-11-15

Type: CWE-310

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 0.9.8zb (inclusive)

cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0n:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*

Tenable Plugins

View all (31 total)

IDNameProductFamilySeverity
89651openSUSE Security Update : libopenssl0_9_8 (openSUSE-2016-294) (DROWN) (FREAK) (POODLE)NessusSuSE Local Security Checks
critical
86245Apple Xcode < 7.0 (Mac OS X) (POODLE)NessusMacOS X Local Security Checks
high
85181HP System Management Homepage < 7.2.5 / 7.4.1 Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
83648SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2014:1524-1) (POODLE)NessusSuSE Local Security Checks
low
83647SUSE SLED12 / SLES12 Security Update : compat-openssl098 (SUSE-SU-2014:1512-1) (POODLE)NessusSuSE Local Security Checks
low
83641SUSE SLES10 Security Update : OpenSSL (SUSE-SU-2014:1387-1) (POODLE)NessusSuSE Local Security Checks
low
82226Debian DLA-81-1 : openssl security updateNessusDebian Local Security Checks
high
81651Apache Tomcat 8.0.x < 8.0.15 Multiple Vulnerabilities (POODLE)NessusWeb Servers
high
81650Apache Tomcat 7.0.x < 7.0.57 Multiple Vulnerabilities (POODLE)NessusWeb Servers
high
81649Apache Tomcat 6.0.x < 6.0.43 Multiple Vulnerabilities (POODLE)NessusWeb Servers
high
81146VMware Security Updates for vCenter Server (VMSA-2015-0001) (POODLE)NessusMisc.
medium
81088Mac OS X Multiple Vulnerabilities (Security Update 2015-001) (POODLE)NessusMacOS X Local Security Checks
critical
81087Mac OS X 10.10.x < 10.10.2 Multiple Vulnerabilities (POODLE)NessusMacOS X Local Security Checks
critical
81085ESXi 5.5 < Build 2352327 Multiple Vulnerabilities (remote check) (POODLE)NessusMisc.
medium
81079VMSA-2015-0001 : VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues (POODLE)NessusVMware ESX Local Security Checks
low
80885IBM General Parallel File System Multiple Vulnerabilities (Windows) (POODLE)NessusWindows
medium
80725Oracle Solaris Third-Party Patch Update : openssl (multiple_vulnerabilities_in_openssl6) (POODLE)NessusSolaris Local Security Checks
medium
80244GLSA-201412-39 : OpenSSL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
79738SuSE 11.3 Security Update : compat-openssl097g (SAT Patch Number 10033)NessusSuSE Local Security Checks
medium
79269openSUSE Security Update : openssl (openSUSE-SU-2014:1426-1) (POODLE)NessusSuSE Local Security Checks
low
78886SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 9915)NessusSuSE Local Security Checks
high
78733openSUSE Security Update : openssl (openSUSE-SU-2014:1331-1) (POODLE)NessusSuSE Local Security Checks
low
78584stunnel < 5.06 OpenSSL Multiple Vulnerabilities (POODLE)NessusWindows
medium
78554OpenSSL 1.0.1 < 1.0.1j Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
78553OpenSSL 1.0.0 < 1.0.1o Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
78552OpenSSL 0.9.8 < 0.9.8zc Multiple Vulnerabilities (POODLE)NessusWeb Servers
medium
78520Debian DSA-3053-1 : openssl - security update (POODLE)NessusDebian Local Security Checks
low
8552OpenSSL < 0.9.8zc / < 1.0.0o / < 1.0.1j Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
78495FreeBSD : OpenSSL -- multiple vulnerabilities (03175e62-5494-11e4-9cc1-bc5ff4fb5e7b) (POODLE)NessusFreeBSD Local Security Checks
low
78485Amazon Linux AMI : openssl (ALAS-2014-427)NessusAmazon Linux Local Security Checks
high
78483Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssl (SSA:2014-288-01) (POODLE)NessusSlackware Local Security Checks
low