Lucene search

K
f5F5F5:K15342
HistoryAug 13, 2014 - 12:00 a.m.

K15342 : OpenSSL vulnerability CVE-2014-3470

2014-08-1300:00:00
my.f5.com
119

7.5 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.972 High

EPSS

Percentile

99.8%

Security Advisory Description

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value. (CVE-2014-3470)

Impact

An attacker may be able to exploit OpenSSL Transport Layer Security (TLS) clients that enable anonymous ECDH ciphersuites. As a result, these clients are subjected to a denial-of-service (DoS) attack. Anonymous ECDH ciphersuites are, by default, not enabled on BIG-IP system OpenSSL TLS client components.

7.5 High

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.972 High

EPSS

Percentile

99.8%