CVE-2014-5139 — NULL Pointer Dereference in Openssl

CWE-476 — NULL Pointer Dereference10 documents9 sources

Severity

4.3MEDIUMNVD

OSV5.0

EPSS

41.2%

top 2.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedAug 13

Latest updateMay 17

Description

The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/openssl< openssl 1.0.1i-1 (bookworm)

▶Debianopenssl/openssl< 1.0.1i-1+3

▶Ubuntuopenssl/openssl< 1.0.1f-1ubuntu2.5

▶NVDopenssl/openssl9 versions+8

🔴Vulnerability Details

GHSA

GHSA-4wj2-rv2r-wj7f: The ssl_set_client_disabled function in t1_lib↗2022-05-17

▶

OSV

CVE-2014-5139: The ssl_set_client_disabled function in t1_lib↗2014-08-13

▶

OSV

openssl vulnerabilities↗2014-08-07

▶

📋Vendor Advisories

BSD

FreeBSD-SA-14:18.openssl: OpenSSL multiple vulnerabilities↗2014-09-09

▶

Ubuntu

OpenSSL vulnerabilities↗2014-08-07

▶

Red Hat

openssl: crash with SRP ciphersuite in Server Hello message↗2014-08-06

▶

Debian

CVE-2014-5139: openssl - The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i ...↗2014

▶

🕵️Threat Intelligence

Tenable

[R4] Tenable Products Affected by OpenSSL Protocol Downgrade Vulnerability↗2014-08-21

▶

💬Community

Bugzilla

CVE-2014-5139 openssl: crash with SRP ciphersuite in Server Hello message↗2014-08-07

▶