CVE-2014-8176

2015-06-1100:00:00

ubuntu.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.05 Low

EPSS

Percentile

92.8%

JSON

The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za,
1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without
considering that application data can arrive between a ChangeCipherSpec
message and a Finished message, which allows remote DTLS peers to cause a
denial of service (memory corruption and application crash) or possibly
have unspecified other impact via unexpected application data.

Bugs

<https://rt.openssl.org/Ticket/Display.html?id=3286>

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchopenssl< 1.0.1-4ubuntu5.31UNKNOWN
ubuntu14.04noarchopenssl< 1.0.1f-1ubuntu2.15UNKNOWN
ubuntu14.10noarchopenssl< 1.0.1f-1ubuntu9.8UNKNOWN
ubuntu15.04noarchopenssl< 1.0.1f-1ubuntu11.4UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	openssl	< 1.0.1-4ubuntu5.31	UNKNOWN
ubuntu	14.04	noarch	openssl	< 1.0.1f-1ubuntu2.15	UNKNOWN
ubuntu	14.10	noarch	openssl	< 1.0.1f-1ubuntu9.8	UNKNOWN
ubuntu	15.04	noarch	openssl	< 1.0.1f-1ubuntu11.4	UNKNOWN