CVE-2014-0224 — Inadequate Encryption Strength in Openssl

CWE-326 — Inadequate Encryption Strength CWE-310 CWE-841 — Improper Enforcement of Behavioral Workflow23 documents13 sources

Severity

7.4HIGHNVD

OSV6.8

EPSS

93.0%

top 0.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Filezilla-project Filezilla Server Mariadb +15 more

Timeline

PublishedJun 5

Latest updateNov 7

Description

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2

Affected Packages18 packages

▶NVDopenssl/openssl1.0.0 — 1.0.0m+2

▶Debianopenssl/openssl< 1.0.1h-1+3

▶Ubuntuopenssl/openssl< 1.0.1f-1ubuntu2.3+1

▶NVDsiemens/application_processing_engine_firmware< 2.0.2

▶NVDpython/python2.7.0 — 2.7.8+1

Also affects: Fedora 19, 20, Enterprise Linux 4, 5, 6.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-84gm-v5wh-659w: OpenSSL before 0↗2022-05-13

▶

OSV

openssl regression↗2014-06-23

▶

OSV

openssl regression↗2014-06-12

▶

OSV

CVE-2014-0224: OpenSSL before 0↗2014-06-05

▶

CVEList

CVE-2014-0224: OpenSSL before 0↗2014-06-05

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent↗2024-11-07

▶

Ubuntu

OpenSSL regression↗2014-06-23

▶

Ubuntu

OpenSSL regression↗2014-06-12

▶

Palo Alto

OpenSSL Man-in-the-middle vulnerability↗2014-06-09

▶

Ubuntu

OpenSSL vulnerabilities↗2014-06-05

▶

💬Community

HackerOne

CVE-2014-0224 openssl ccs vulnerability↗2015-04-10

▶

Bugzilla

CVE-2014-0221 CVE-2014-0198 CVE-2014-0224 CVE-2014-0195 CVE-2010-5298 CVE-2014-3470 mingw-openssl: various flaws [epel-7]↗2014-08-07

▶

Bugzilla

CVE-2014-3470 CVE-2014-0221 CVE-2014-0224 CVE-2014-0195 mingw32-openssl: various flaws [epel-5]↗2014-08-07

▶

Bugzilla

CVE-2014-0224 openssl: SSL/TLS MITM vulnerability↗2014-06-02

▶

Bugzilla

CVE-2014-0221 CVE-2014-0198 CVE-2014-0224 CVE-2014-0195 CVE-2010-5298 CVE-2014-3470 openssl: various flaws [fedora-all]↗2014-05-09

▶