Lucene search

K
opensslOpenSSLOPENSSL:CVE-2014-3567
HistoryOct 15, 2014 - 12:00 a.m.

Vulnerability in OpenSSL CVE-2014-3567

2014-10-1500:00:00
www.openssl.org
20

4.2 Medium

AI Score

Confidence

High

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.947 High

EPSS

Percentile

99.2%

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack.
  • Fixed in OpenSSL 1.0.1j (Affected since 1.0.1)
  • Fixed in OpenSSL 1.0.0o (Affected since 1.0.0)
  • Fixed in OpenSSL 0.9.8zc (Affected since 0.9.8g)

4.2 Medium

AI Score

Confidence

High

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.947 High

EPSS

Percentile

99.2%