Alpine: libcrypto3, multiple openssl packages: security update to 1.0.1-r3 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 401209

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and
1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows
remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application
crash) via a long non-initial fragment. (CVE-2014-0195)

- The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is
enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote
attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that
trigger an alert condition. (CVE-2014-0198)

- The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and
1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via
a DTLS hello message in an invalid DTLS handshake. (CVE-2014-0221)

- OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing
of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length
master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain
sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability. (CVE-2014-0224)

See Also

https://git.alpinelinux.org/aports/commit/?id=c7c8818b7203c5ff58dd5f7d03f7e47cb681348d

https://git.alpinelinux.org/aports/commit/?id=f745d948dd78286faf43646555df7d99a2540768

Plugin Details

Severity: High

ID: 401209

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.35

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2014-0195

CVSS v3

Risk Factor: High

Base Score: 7.4

Temporal Score: 6.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2014-0224

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/5/2014

Vulnerability Publication Date: 2/14/2014

Exploitable With

Core Impact

Reference Information

CVE: CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224

BID: 67193, 67899, 67900, 67901

IAVA: 2014-A-0083-S

IAVB: 2014-B-0092-S