Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

OpenSSL < 0.9.8zc / < 1.0.0o / < 1.0.1j Multiple Vulnerabilities

High

Synopsis

The remote web server is running an outdated instance of OpenSSL and thus may be missing patches for multiple vulnerabilities.

Description

OpenSSL before 0.9.8zc, 1.0.0o, or 1.0.1j are unpatched for the following vulnerabilities:

- Memory leak in the DTLS SRTP extension parsing code that can be triggered during a handshake to cause a denial of service. (CVE-2014-3513)

- Memory leak in the way SSL, TLS, and DTLS servers handle a session ticket that has failed to have its integrity properly verified (CVE-2014-3567)

- The 'no_ssl3' build option is not properly honored, which can cause insecure SSL 3.0 handshakes (re: CVE-2014-3566) to be accepted. (CVE-2014-3568)

Solution

OpenSSL versions 0.9.8zc, 1.0.0o, and 1.0.1j are patched against these vulnerabilities. Apply the vendors patch, or update to these versions or later.