CVE-2014-3509 — Race Condition in Openssl

CWE-362 — Race Condition14 documents10 sources

Severity

6.8MEDIUMNVD

OSV5.0

EPSS

13.0%

top 5.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Paloalto Cortex XDR

Timeline

PublishedAug 13

Latest updateNov 7

Description

Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages5 packages

▶debiandebian/openssl< openssl 1.0.1i-1 (bookworm)

▶Debianopenssl/openssl< 1.0.1i-1+3

▶Ubuntuopenssl/openssl< 1.0.1f-1ubuntu2.5

▶NVDopenssl/openssl23 versions+22

▶Palo Altopaloalto/cortex_xdr

🔴Vulnerability Details

GHSA

GHSA-6353-qghw-q8mp: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib↗2022-05-17

▶

OSV

CVE-2014-3509: Race condition in the ssl_parse_serverhello_tlsext function in t1_lib↗2014-08-13

▶

OSV

openssl vulnerabilities↗2014-08-07

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent↗2024-11-07

▶

BSD

FreeBSD-SA-14:18.openssl: OpenSSL multiple vulnerabilities↗2014-09-09

▶

Ubuntu

OpenSSL vulnerabilities↗2014-08-07

▶

Red Hat

openssl: race condition in ssl_parse_serverhello_tlsext↗2014-08-06

▶

Debian

CVE-2014-3509: openssl - Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenS...↗2014

▶

🕵️Threat Intelligence

Tenable

[R4] Tenable Products Affected by OpenSSL Protocol Downgrade Vulnerability↗2014-08-21

▶

💬Community

Bugzilla

CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext↗2014-08-07

▶

Bugzilla

CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3511 CVE-2014-3510 CVE-2014-3508 mingw-openssl: various flaws [epel-7]↗2014-08-07

▶

Bugzilla

CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3511 CVE-2014-3510 CVE-2014-3508 CVE-2014-3509 mingw-openssl: various flaws [fedora-all]↗2014-08-07

▶

Bugzilla

CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3511 CVE-2014-3510 CVE-2014-3508 CVE-2014-3509 openssl: various flaws [fedora-all]↗2014-08-07

▶