CVE-2014-8275

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html

http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148363.html

http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.html

http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html

http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.html

http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

http://marc.info/?l=bugtraq&m=142496179803395&w=2

http://marc.info/?l=bugtraq&m=142496289803847&w=2

http://marc.info/?l=bugtraq&m=142720981827617&w=2

http://marc.info/?l=bugtraq&m=142721102728110&w=2

http://marc.info/?l=bugtraq&m=142895206924048&w=2

http://marc.info/?l=bugtraq&m=143748090628601&w=2

http://marc.info/?l=bugtraq&m=144050155601375&w=2

http://marc.info/?l=bugtraq&m=144050205101530&w=2

http://marc.info/?l=bugtraq&m=144050254401665&w=2

http://marc.info/?l=bugtraq&m=144050297101809&w=2

http://rhn.redhat.com/errata/RHSA-2015-0066.html

http://rhn.redhat.com/errata/RHSA-2015-0800.html

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl

http://www.debian.org/security/2015/dsa-3125

http://www.mandriva.com/security/advisories?name=MDVSA-2015:019

http://www.mandriva.com/security/advisories?name=MDVSA-2015:062

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.securityfocus.com/bid/71935

http://www.securitytracker.com/id/1033378

https://bto.bluecoat.com/security-advisory/sa88

https://github.com/openssl/openssl/commit/684400ce192dac51df3d3e92b61830a6ef90be3e

https://github.com/openssl/openssl/commit/cb62ab4b17818fe66d2fed0a7fe71969131c811b

https://kc.mcafee.com/corporate/index?page=content&id=SB10102

https://kc.mcafee.com/corporate/index?page=content&id=SB10108

https://support.apple.com/HT204659

https://support.citrix.com/article/CTX216642

https://www.openssl.org/news/secadv_20150108.txt

Details

Source: MITRE

Published: 2015-01-09

Updated: 2017-11-15

Type: CWE-310

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Tenable Plugins

View all (49 total)

IDNameProductFamilySeverity
141185F5 Networks BIG-IP : OpenSSL vulnerability (K16136)NessusF5 Networks Local Security Checks
medium
125001EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1548)NessusHuawei Local Security Checks
high
700510Mac OS X 10.10.x < 10.10.3 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
critical
90251HP System Management Homepage < 7.2.6 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
89651openSUSE Security Update : libopenssl0_9_8 (openSUSE-2016-294) (DROWN) (FREAK) (POODLE)NessusSuSE Local Security Checks
critical
85803HP Version Control Repository Manager for Linux < 7.5.0 Multiple Vulnerabilities (HPSBMU03396) (FREAK)NessusMisc.
high
85802HP Version Control Repository Manager < 7.5.0 Multiple Vulnerabilities (HPSBMU03396) (FREAK)NessusWindows
high
84998openSUSE Security Update : libressl (openSUSE-2015-507) (Logjam)NessusSuSE Local Security Checks
high
84923HP System Management Homepage 7.3.x / 7.4.x < 7.5.0 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
83860SUSE SLED11 / SLES11 Security Update : MySQL (SUSE-SU-2015:0946-1) (FREAK)NessusSuSE Local Security Checks
medium
83528Cisco NX-OS OpenSSL Multiple Vulnerabilities (cisco-sa-20150310-ssl) (FREAK)NessusCISCO
medium
83527Apache Tomcat 8.0.x < 8.0.21 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
83526Apache Tomcat 7.0.x < 7.0.60 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
83490Apache Tomcat 6.0.x < 6.0.44 Multiple Vulnerabilities (FREAK)NessusWeb Servers
high
82913Juniper NSM < 2012.2R11 Multiple OpenSSL Vulnerabilities (JSA10679) (FREAK)NessusMisc.
medium
82912Juniper Junos Multiple OpenSSL Vulnerabilities (JSA10679) (FREAK)NessusJunos Local Security Checks
medium
82783CentOS 5 : openssl (CESA-2015:0800) (FREAK)NessusCentOS Local Security Checks
medium
82760Scientific Linux Security Update : openssl on SL5.x i386/x86_64 (20150413) (FREAK)NessusScientific Linux Local Security Checks
high
82758RHEL 5 : openssl (RHSA-2015:0800) (FREAK)NessusRed Hat Local Security Checks
medium
82757Oracle Linux 5 : openssl (ELSA-2015-0800) (FREAK)NessusOracle Linux Local Security Checks
medium
82700Mac OS X Multiple Vulnerabilities (Security Update 2015-004) (FREAK)NessusMacOS X Local Security Checks
critical
82699Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)NessusMacOS X Local Security Checks
critical
82315Mandriva Linux Security Advisory : openssl (MDVSA-2015:062)NessusMandriva Local Security Checks
high
82271Mac OS X : Cisco AnyConnect Secure Mobility Client < 3.1(7021) <= 4.0(48) Multiple Vulnerabilities (FREAK)NessusMacOS X Local Security Checks
medium
82270Cisco AnyConnect Secure Mobility Client < 3.1(7021) / <= 4.0(48) Multiple Vulnerabilities (FREAK)NessusWindows
medium
82115Debian DLA-132-1 : openssl security update (FREAK)NessusDebian Local Security Checks
medium
81903OracleVM 2.2 : openssl (OVMSA-2015-0030) (FREAK)NessusOracleVM Local Security Checks
medium
81815McAfee Firewall Enterprise OpenSSL Multiple Vulnerabilities (SB10102) (FREAK)NessusFirewalls
medium
81726OracleVM 3.2 : openssl (OVMSA-2015-0029) (FREAK)NessusOracleVM Local Security Checks
medium
81406AIX OpenSSL Advisory : openssl_advisory12.asc (FREAK)NessusAIX Local Security Checks
medium
81124SuSE 11.3 Security Update : OpenSSL (SAT Patch Number 10150)NessusSuSE Local Security Checks
medium
81120SuSE 11.3 Security Update : compat-openssl097g (SAT Patch Number 10208)NessusSuSE Local Security Checks
medium
80991openSUSE Security Update : openssl (openSUSE-SU-2015:0130-1) (FREAK)NessusSuSE Local Security Checks
medium
80929OracleVM 3.3 : openssl (OVMSA-2015-0005) (FREAK)NessusOracleVM Local Security Checks
medium
80905Scientific Linux Security Update : openssl on SL6.x, SL7.x i386/x86_64 (20150121) (FREAK)NessusScientific Linux Local Security Checks
medium
80879RHEL 6 / 7 : openssl (RHSA-2015:0066) (FREAK)NessusRed Hat Local Security Checks
medium
80877Oracle Linux 6 / 7 : openssl (ELSA-2015-0066) (FREAK)NessusOracle Linux Local Security Checks
medium
80874Fedora 20 : openssl-1.0.1e-41.fc20 (2015-0601)NessusFedora Local Security Checks
medium
80867CentOS 6 / 7 : openssl (CESA-2015:0066)NessusCentOS Local Security Checks
medium
80568OpenSSL 1.0.1 < 1.0.1k Multiple Vulnerabilities (FREAK)NessusWeb Servers
medium
80567OpenSSL 1.0.0 < 1.0.0p Multiple Vulnerabilities (FREAK)NessusWeb Servers
medium
80566OpenSSL 0.9.8 < 0.9.8zd Multiple Vulnerabilities (FREAK)NessusWeb Servers
medium
80471Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : openssl vulnerabilities (USN-2459-1) (FREAK)NessusUbuntu Local Security Checks
medium
80461Amazon Linux AMI : openssl (ALAS-2015-469) (FREAK)NessusAmazon Linux Local Security Checks
medium
80456Mandriva Linux Security Advisory : openssl (MDVSA-2015:019)NessusMandriva Local Security Checks
medium
80446Debian DSA-3125-1 : openssl - security update (FREAK)NessusDebian Local Security Checks
medium
80443Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : openssl (SSA:2015-009-01) (FREAK)NessusSlackware Local Security Checks
medium
8617OpenSSL < 1.0.1k / < 1.0.0p / < 0.9.8zd Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
80424FreeBSD : OpenSSL -- multiple vulnerabilities (4e536c14-9791-11e4-977d-d050992ecde8) (FREAK)NessusFreeBSD Local Security Checks
medium