CVE-2014-3567Improper Input Validation in Openssl

CWE-20Improper Input ValidationCWE-399CWE-401Missing Release of Memory after Effective Lifetime15 documents13 sources
Severity
7.1HIGHNVD
EPSS
21.7%
top 4.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
OpensslDebian OpensslApple OS X Yosemite V10.10.2 AND Security Update 2015-001+7 more
Timeline
PublishedOct 19
Latest updateNov 7

Description

Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.

CVSS vector

AV:N/AC:M/C:N/I:N/A:CExploitability: 8.6 | Impact: 6.9

Affected Packages12 packages

debiandebian/openssl< openssl 1.0.1j-1 (bookworm)
Debianopenssl/openssl< 1.0.1j-1+3
Ubuntuopenssl/openssl< 1.0.1f-1ubuntu2.7
NVDopenssl/openssl0.9.8zb+25
Appleapple/xcode7.0

🔴Vulnerability Details

3
GHSA
GHSA-5cmf-xwq3-4rj3: Memory leak in the tls_decrypt_ticket function in t1_lib2022-05-17
OSV
CVE-2014-3567: Memory leak in the tls_decrypt_ticket function in t1_lib2014-10-19
OSV
openssl vulnerabilities2014-10-16

📋Vendor Advisories

8
Palo Alto
PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent2024-11-07
VMware
VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues2015-01-27
BSD
FreeBSD-SA-14:23.openssl: OpenSSL multiple vulnerabilities2014-10-21
Ubuntu
OpenSSL vulnerabilities2014-10-16
Red Hat
openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash2014-10-15

🕵️Threat Intelligence

1
Tenable
[R7] OpenSSL &#039;20141015&#039; Advisory Affects Tenable Products2014-11-07

📄Research Papers

1
arXiv
Server-side verification of client behavior in cryptographic protocols2016-03-13

💬Community

1
Bugzilla
CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash2014-10-15