CVE-2013-6449
published 2013-12-23CVE-2013-6449: The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote…
PriorityP430medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
21.17%
97.3th percentile
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | < openssl 1.0.1e-5 (bookworm) | openssl 1.0.1e-5 (bookworm) |
| openssl | openssl | <= 1.0.1e | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | >= 0 < 1.0.1e-5 | 1.0.1e-5 |
| openssl | openssl | >= 0 < 1.0.1e-5 | 1.0.1e-5 |
| openssl | openssl | >= 0 < 1.0.1e-5 | 1.0.1e-5 |
| openssl | openssl | >= 0 < 1.0.1e-5 | 1.0.1e-5 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h84w-39m4-37j6: The ssl_get_algorithm2 function in ssl/s3_lib
ghsa_unreviewed·2022-05-14
CVE-2013-6449 [MEDIUM] GHSA-h84w-39m4-37j6: The ssl_get_algorithm2 function in ssl/s3_lib
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
OSV
CVE-2013-6449: The ssl_get_algorithm2 function in ssl/s3_lib
osv·2013-12-23·CVSS 4.3
CVE-2013-6449 [MEDIUM] CVE-2013-6449: The ssl_get_algorithm2 function in ssl/s3_lib
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
BSD
FreeBSD-SA-14:03.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2014-01-14·CVSS 4.3
CVE-2013-4353 [MEDIUM] FreeBSD-SA-14:03.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-14:03.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2014-01-14
Affects: FreeBSD 10.0 prior to 10.0-RC5
Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1)
CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the OpenSSL
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2014-01-09·CVSS 4.3
CVE-2013-4353 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
Anton Johansson discovered that OpenSSL incorrectly handled certain invalid
TLS handshakes. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2013-4353)
Ron Barber discovered that OpenSSL used an incorrect data structure to
obtain a version number. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2013-6449)
Dmitry Sobinov discovered that OpenSSL incorrectly handled certain DTLS
retransmissions. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2013-6450)
This update also disables the default use of the RdRand feature of certain
Intel CP
Red Hat
openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm
vendor_redhat·2013-12-19·CVSS 4.3
CVE-2013-6449 [MEDIUM] openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm
openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and earlier.
Package: openssl (Red Hat Enterprise Linux 4) - Not affected
Package: openssl (Red Hat Enterprise Linux 5) - Not affected
Package: openssl097a (Red Hat Enterprise Linux 5) - Not affected
Package: openssl098e (Red Hat Enterprise Linux 6) - Not affected
Package: openssl (Red Hat Enterprise Linux 7) - Not affected
Package: openssl098e (Red Hat
Debian
CVE-2013-6449: openssl - The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains ...
vendor_debian·2013·CVSS 4.3
CVE-2013-6449 [MEDIUM] CVE-2013-6449: openssl - The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains ...
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
Scope: local
bookworm: resolved (fixed in 1.0.1e-5)
bullseye: resolved (fixed in 1.0.1e-5)
forky: resolved (fixed in 1.0.1e-5)
sid: resolved (fixed in 1.0.1e-5)
trixie: resolved (fixed in 1.0.1e-5)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-6449 mingw-openssl: openssl: crash when using TLS 1.2 [fedora-all]
bugzilla·2013-12-20·CVSS 4.3
CVE-2013-6449 [MEDIUM] CVE-2013-6449 mingw-openssl: openssl: crash when using TLS 1.2 [fedora-all]
CVE-2013-6449 mingw-openssl: openssl: crash when using TLS 1.2 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affec
Bugzilla
CVE-2013-6449 openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm
bugzilla·2013-12-20·CVSS 4.3
CVE-2013-6449 [MEDIUM] CVE-2013-6449 openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm
CVE-2013-6449 openssl: crash when using TLS 1.2 caused by use of incorrect hash algorithm
A flaw was reported for OpenSSL 1.0.1e, that can cause application using OpenSSL to crash when using TLS version 1.2. Issue was reported via the following OpenSSL upstream ticket:
http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
and also as bug for Apache Traffic Server:
https://issues.apache.org/jira/browse/TS-2355
Fix is now committed in upstream git:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ca98926
Related to the above ticket, upstream also added this fix to improve error checks in OpenSSL:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=0294b2b
Discussion:
Support for TLS 1.2 in openssl packages in Red Hat Enterprise Linux 6 was only
Bugzilla
CVE-2013-6449 openssl: crash when using TLS 1.2 [fedora-all]
bugzilla·2013-12-20·CVSS 4.3
CVE-2013-6449 [MEDIUM] CVE-2013-6449 openssl: crash when using TLS 1.2 [fedora-all]
CVE-2013-6449 openssl: crash when using TLS 1.2 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multiple sup
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=ca989269a2876bae79393bd54c3e72d49975fc75http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124833.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-December/124858.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00006.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00009.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00012.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00031.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0015.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0041.htmlhttp://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guesthttp://seclists.org/fulldisclosure/2014/Dec/23http://security.gentoo.org/glsa/glsa-201412-39.xmlhttp://www-01.ibm.com/support/docview.wss?uid=isg400001841http://www-01.ibm.com/support/docview.wss?uid=isg400001843http://www.debian.org/security/2014/dsa-2833http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/64530http://www.securitytracker.com/id/1029548http://www.ubuntu.com/usn/USN-2079-1http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1045363https://issues.apache.org/jira/browse/TS-2355http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=ca989269a2876bae79393bd54c3e72d49975fc75http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124833.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-December/124858.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00006.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00009.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00012.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00031.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0015.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0041.htmlhttp://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guesthttp://seclists.org/fulldisclosure/2014/Dec/23http://security.gentoo.org/glsa/glsa-201412-39.xmlhttp://www-01.ibm.com/support/docview.wss?uid=isg400001841http://www-01.ibm.com/support/docview.wss?uid=isg400001843http://www.debian.org/security/2014/dsa-2833http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/64530http://www.securitytracker.com/id/1029548http://www.ubuntu.com/usn/USN-2079-1http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=1045363https://issues.apache.org/jira/browse/TS-2355
2013-12-23
Published