6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Security vulnerabilities have been discovered in OpenSSL.
CVEID:CVE-2014-3511
**DESCRIPTION:*OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95162_ _for the current score CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID:CVE-2014-3509
**DESCRIPTION:*OpenSSL is vulnerable to a denial of service, caused by a race condition in the ssl_parse_serverhello_tlsext() code. If a multithreaded client connects to a malicious server using a resumed session, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95159_ _for the current score CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVEID:CVE-2014-3505
**DESCRIPTION:*OpenSSL is vulnerable to a denial of service, caused by a double-free error when handling DTLS packets. A remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95163_ _for the current score CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVEID:CVE-2014-3506
**DESCRIPTION:*OpenSSL is vulnerable to a denial of service, caused by an error when processing DTLS handshake messages. A remote attacker could exploit this vulnerability to consume an overly large amount of memory.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/95160_ _for the current score CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**CVEID:**CVE-2014-3507
**DESCRIPTION:*OpenSSL is vulnerable to a denial of service. By sending speciallycrafted
DTLS packets, a remote attacker could exploit this vulnerability to leak memory
and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/95161> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**CVEID:**CVE-2014-3510
**DESCRIPTION:*OpenSSL is vulnerable to a denial of service, caused by a NULL
pointer dereference in anonymous ECDH ciphersuites. A remote attacker could exploit
this vulnerability using a malicious handshake to cause the client to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/95164> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
IBM SDN VE, Unified Controller, VMware Edition: 1.2.1 and earlier
IBM SDN VE, Unified Controller, KVM Edition: 1.2.1 and earlier
IBM SDN VE, Unified Controller, OpenFlow Edition: 1.2.1 and earlier
IBM SDN VE, Dove Management Console, VMware Edition: 1.0.0
IBM recommends updating affected IBM SDN VE, Unified Controllers to the
latest versions of IBM SDN VE for which IBM is providing a fix, which are
identified below:
IBM SDN VE, Unified Controller, VMware Edition: version 1.2.2 or later
IBM SDN VE, Unified Controller, KVM Edition: version 1.2.2 or later
IBM SDN VE, Unified Controller, OpenFlow Edition: version 1.2.2 or later
These versions are available via Passport Advantage.
None known