CVE-2014-3568
published 2014-10-19CVE-2014-3568: OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to…
PriorityP335medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EPSS
13.98%
96.1th percentile
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
Affected
44 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | os_x_yosemite_v10.10.2_and_security_update_2015-001 | — | — |
| apple | xcode | — | — |
| debian | openssl | < openssl 1.0.1k-1 (bookworm) | openssl 1.0.1k-1 (bookworm) |
| debian | openssl | < openssl 1.0.1j-1 (bookworm) | openssl 1.0.1j-1 (bookworm) |
| openssl | openssl | <= 0.9.8zb | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
vendor_vmware·2015-01-27·CVSS 6.4
CVE-2014-3513 [MEDIUM] VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
VMSA-2015-0001: VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues
a. VMware ESXi, Workstation, Player, and Fusion host privilege escalation vulnerability VMware ESXi, Workstation, Player and Fusion contain an arbitrary file write issue. Exploitation this issue may allow for privilege escalation on the host. The vulnerability does not allow for privilege escalation from the guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System. Mitigation For ESXi to be affected, permissions must have been added to ESXi (or a vCenter Server managing it) for a virtual machine administrator role or greater. VMware would like to thank Shanon Olsson for reporting this issue to us through JP
BSD
FreeBSD-SA-14:23.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2014-10-21·CVSS 7.1
CVE-2014-3513 [HIGH] FreeBSD-SA-14:23.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-14:23.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2014-10-21
Affects: All supported versions of FreeBSD.
Corrected: 2014-10-15 19:59:43 UTC (stable/10, 10.1-PRERELEASE)
2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC3)
2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC2-p1)
2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC1-p1)
2014-10-21 19:00:32 UTC (releng/10.1, 10.1-BETA3-p1)
2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10)
2014-10-15 20:28:31 UTC (stable/9, 9.3-STABLE)
2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3)
2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13)
2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20)
2014-10-15 20:28:31 UTC (stable/8, 8.4-STABLE)
2014-10-21 20:21:
Red Hat
openssl: denial of service in ssl23_get_client_hello function
vendor_redhat·2014-10-21·CVSS 4.3
CVE-2014-3569 [MEDIUM] CWE-476 openssl: denial of service in ssl23_get_client_hello function
openssl: denial of service in ssl23_get_client_hello function
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
Statement: Not vulnerable. The versions of openssl package as shipped in Red Hat Enterprise Linux 5, 6 and 7; Red Hat JBoss Enterprise Application Platform 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 are not vulnerable to CVE-2014-3568, therefore does not have CVE-2014-3568 fix appli
Red Hat
openssl: Build option no-ssl3 is incomplete
vendor_redhat·2014-10-15·CVSS 4.3
CVE-2014-3568 [MEDIUM] openssl: Build option no-ssl3 is incomplete
openssl: Build option no-ssl3 is incomplete
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
Statement: Not vulnerable. The versions of openssl package as shipped in Red Hat Enterprise Linux 5, 6 and 7; Red Hat JBoss Enterprise Application Platform 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 are not build with the "no-ssl3" option and therefore are not vulnerable to this security flaw.
Package: openssl (Red Hat Enterprise Linux 5) - Not affected
Package: openssl (Red Hat Enterprise Linux 6) - Not affected
Package: openssl (Red Hat Enterprise Linux 7) - Not affected
Pack
Debian
CVE-2014-3569: openssl - The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, an...
vendor_debian·2014·CVSS 4.3
CVE-2014-3569 [MEDIUM] CVE-2014-3569: openssl - The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, an...
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
Scope: local
bookworm: resolved (fixed in 1.0.1k-1)
bullseye: resolved (fixed in 1.0.1k-1)
forky: resolved (fixed in 1.0.1k-1)
sid: resolved (fixed in 1.0.1k-1)
trixie: resolved (fixed in 1.0.1k-1)
Debian
CVE-2014-3568: openssl - OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not pr...
vendor_debian·2014·CVSS 4.3
CVE-2014-3568 [MEDIUM] CVE-2014-3568: openssl - OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not pr...
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
Scope: local
bookworm: resolved (fixed in 1.0.1j-1)
bullseye: resolved (fixed in 1.0.1j-1)
forky: resolved (fixed in 1.0.1j-1)
sid: resolved (fixed in 1.0.1j-1)
trixie: resolved (fixed in 1.0.1j-1)
Apple
CVE-2014-3568: Xcode 7.0
vendor_apple·CVSS 4.3
CVE-2014-3568 [MEDIUM] CVE-2014-3568: Xcode 7.0
Apple Security Update: About the security content of Xcode 7.0
Product: Xcode
Version: 7.0
CVE: CVE-2014-3568
Component: CVE-2014-3568
Apple
CVE-2014-3568: OS X Yosemite v10.10.2 and Security Update 2015-001
vendor_apple·CVSS 4.3
CVE-2014-3568 [MEDIUM] CVE-2014-3568: OS X Yosemite v10.10.2 and Security Update 2015-001
Apple Security Update: About the security content of OS X Yosemite v10.10.2 and Security Update 2015-001
Product: OS X Yosemite v10.10.2 and Security Update 2015-001
CVE: CVE-2014-3568
Component: CVE-2014-3568
GHSA
GHSA-66cr-qxrv-fpg2: The ssl23_get_client_hello function in s23_srvr
ghsa_unreviewed·2022-05-17·CVSS 4.3
CVE-2014-3569 [MEDIUM] GHSA-66cr-qxrv-fpg2: The ssl23_get_client_hello function in s23_srvr
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
GHSA
GHSA-3873-898q-6f32: OpenSSL before 0
ghsa_unreviewed·2022-05-17
CVE-2014-3568 [MEDIUM] GHSA-3873-898q-6f32: OpenSSL before 0
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
OSV
CVE-2014-3569: The ssl23_get_client_hello function in s23_srvr
osv·2014-12-24·CVSS 4.3
CVE-2014-3569 [MEDIUM] CVE-2014-3569: The ssl23_get_client_hello function in s23_srvr
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.
OSV
CVE-2014-3568: OpenSSL before 0
osv·2014-10-19·CVSS 4.3
CVE-2014-3568 [MEDIUM] CVE-2014-3568: OpenSSL before 0
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-3569 openssl: denial of service in ssl23_get_client_hello function
bugzilla·2014-12-25·CVSS 4.3
CVE-2014-3569 [MEDIUM] CVE-2014-3569 openssl: denial of service in ssl23_get_client_hello function
CVE-2014-3569 openssl: denial of service in ssl23_get_client_hello function
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-3569 to
the following vulnerability:
Name: CVE-2014-3569
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
Assigned: 20140514
Reference: https://security-tracker.debian.org/tracker/CVE-2014-3569
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j
does not properly handle attempts to use unsupported protocols, which
allows remote attackers to cause a denial of service (NULL pointer
dereference and daemon crash) via an unexpected handshake, as
demonstrated by an SSLv3 handshake to a no-ssl3 application with
certain error handling. NOTE: this issue became relevant after the
CVE-2014-3568 fix.
Statement:
Not vulnera
Bugzilla
CVE-2014-3568 openssl: Build option no-ssl3 is incomplete
bugzilla·2014-10-15·CVSS 4.3
CVE-2014-3568 [MEDIUM] CVE-2014-3568 openssl: Build option no-ssl3 is incomplete
CVE-2014-3568 openssl: Build option no-ssl3 is incomplete
OpenSSL upstream reported the following security flaw:
When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014.
The fix was developed by Akamai and the OpenSSL team.
External Reference:
https://www.openssl.org/news/secadv_20141015.txt
Discussion:
Statement:
Not vulnerable. The versions of openssl package as shipped in Red Hat Enterprise Linux 5, 6 and 7; Red Hat JBoss Enterprise Application Platform 5 and
Tenable
[R7] OpenSSL '20141015' Advisory Affects Tenable Products
blogs_tenable·2014-11-07
[R7] OpenSSL '20141015' Advisory Affects Tenable Products
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.aschttp://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://marc.info/?l=bugtraq&m=141477196830952&w=2http://marc.info/?l=bugtraq&m=142103967620673&w=2http://marc.info/?l=bugtraq&m=142495837901899&w=2http://marc.info/?l=bugtraq&m=142624590206005&w=2http://marc.info/?l=bugtraq&m=142791032306609&w=2http://marc.info/?l=bugtraq&m=142804214608580&w=2http://marc.info/?l=bugtraq&m=143290437727362&w=2http://marc.info/?l=bugtraq&m=143290522027658&w=2http://secunia.com/advisories/59627http://secunia.com/advisories/61058http://secunia.com/advisories/61073http://secunia.com/advisories/61130http://secunia.com/advisories/61207http://secunia.com/advisories/61819http://secunia.com/advisories/61959http://secunia.com/advisories/62030http://secunia.com/advisories/62070http://secunia.com/advisories/62124http://security.gentoo.org/glsa/glsa-201412-39.xmlhttp://support.apple.com/HT204244http://www-01.ibm.com/support/docview.wss?uid=swg21686997http://www.debian.org/security/2014/dsa-3053http://www.securityfocus.com/bid/70585http://www.securitytracker.com/id/1031053https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6https://exchange.xforce.ibmcloud.com/vulnerabilities/97037https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=26a59d9b46574e457870197dffa802871b4c8fc7https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380https://kc.mcafee.com/corporate/index?page=content&id=SB10091https://support.apple.com/HT205217https://support.citrix.com/article/CTX216642https://www.openssl.org/news/secadv_20141015.txtftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.aschttp://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2015/Sep/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://marc.info/?l=bugtraq&m=141477196830952&w=2http://marc.info/?l=bugtraq&m=142103967620673&w=2http://marc.info/?l=bugtraq&m=142495837901899&w=2http://marc.info/?l=bugtraq&m=142624590206005&w=2http://marc.info/?l=bugtraq&m=142791032306609&w=2http://marc.info/?l=bugtraq&m=142804214608580&w=2http://marc.info/?l=bugtraq&m=143290437727362&w=2http://marc.info/?l=bugtraq&m=143290522027658&w=2http://secunia.com/advisories/59627http://secunia.com/advisories/61058http://secunia.com/advisories/61073http://secunia.com/advisories/61130http://secunia.com/advisories/61207http://secunia.com/advisories/61819http://secunia.com/advisories/61959http://secunia.com/advisories/62030http://secunia.com/advisories/62070http://secunia.com/advisories/62124http://security.gentoo.org/glsa/glsa-201412-39.xmlhttp://support.apple.com/HT204244http://www-01.ibm.com/support/docview.wss?uid=swg21686997http://www.debian.org/security/2014/dsa-3053http://www.securityfocus.com/bid/70585http://www.securitytracker.com/id/1031053https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6https://exchange.xforce.ibmcloud.com/vulnerabilities/97037https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=26a59d9b46574e457870197dffa802871b4c8fc7https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380https://kc.mcafee.com/corporate/index?page=content&id=SB10091https://support.apple.com/HT205217https://support.citrix.com/article/CTX216642https://www.openssl.org/news/secadv_20141015.txt
2014-10-19
Published