CVE-2014-3513 — Improper Input Validation in Openssl

CWE-20 — Improper Input Validation CWE-401 — Missing Release of Memory after Effective Lifetime14 documents13 sources

Severity

7.1HIGHNVD

EPSS

25.7%

top 3.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Apple Xcode +6 more

Timeline

PublishedOct 19

Latest updateNov 7

Description

Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.

CVSS vector

AV:N/AC:M/C:N/I:N/A:CExploitability: 8.6 | Impact: 6.9

Affected Packages11 packages

▶debiandebian/openssl< openssl 1.0.1j-1 (bookworm)

▶Debianopenssl/openssl< 1.0.1j-1+3

▶Ubuntuopenssl/openssl< 1.0.1f-1ubuntu2.7

▶NVDopenssl/openssl10 versions+9

▶Appleapple/xcode7.0

Patches

Patch: marc.info ↗Patch: security.gentoo.org ↗Patch: marc.info ↗

🔴Vulnerability Details

GHSA

GHSA-mxph-x9r8-xwgr: Memory leak in d1_srtp↗2022-05-17

▶

OSV

CVE-2014-3513: Memory leak in d1_srtp↗2014-10-19

▶

OSV

openssl vulnerabilities↗2014-10-16

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent↗2024-11-07

▶

VMware

VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues↗2015-01-27

▶

BSD

FreeBSD-SA-14:23.openssl: OpenSSL multiple vulnerabilities↗2014-10-21

▶

Ubuntu

OpenSSL vulnerabilities↗2014-10-16

▶

Red Hat

openssl: SRTP memory leak causes crash when using specially-crafted handshake message↗2014-10-15

▶

🕵️Threat Intelligence

Tenable

[R7] OpenSSL '20141015' Advisory Affects Tenable Products↗2014-11-07

▶

📄Research Papers

arXiv

Server-side verification of client behavior in cryptographic protocols↗2016-03-13

▶

💬Community

Bugzilla

CVE-2014-3513 openssl: SRTP memory leak causes crash when using specially-crafted handshake message↗2014-10-15

▶