OpenSSL < 0.9.8zc / < 1.0.0o / < 1.0.1j Multiple Vulnerabilities
High Nessus Network Monitor Plugin ID 8552
SynopsisThe remote web server is running an outdated instance of OpenSSL and thus may be missing patches for multiple vulnerabilities.
DescriptionOpenSSL before 0.9.8zc, 1.0.0o, or 1.0.1j are unpatched for the following vulnerabilities:
- Memory leak in the DTLS SRTP extension parsing code that can be triggered during a handshake to cause a denial of service. (CVE-2014-3513)
- Memory leak in the way SSL, TLS, and DTLS servers handle a session ticket that has failed to have its integrity properly verified (CVE-2014-3567)
- The 'no_ssl3' build option is not properly honored, which can cause insecure SSL 3.0 handshakes (re: CVE-2014-3566) to be accepted. (CVE-2014-3568)
SolutionOpenSSL versions 0.9.8zc, 1.0.0o, and 1.0.1j are patched against these vulnerabilities. Apply the vendors patch, or update to these versions or later.