5
CVSSv2

CVE-2014-3505

Published: 13/08/2014 Updated: 07/01/2017
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

Double free vulnerability in d1_both.c in the DTLS implementation in OpenSSL 0.9.8 prior to 0.9.8zb, 1.0.0 prior to 1.0.0n, and 1.0.1 prior to 1.0.1i allows remote malicious users to cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.

Affected Products

Vendor Product Versions
OpensslOpenssl0.9.8, 0.9.8a, 0.9.8b, 0.9.8c, 0.9.8d, 0.9.8e, 0.9.8f, 0.9.8g, 0.9.8h, 0.9.8i, 0.9.8j, 0.9.8k, 0.9.8l, 0.9.8m, 0.9.8n, 0.9.8o, 0.9.8p, 0.9.8q, 0.9.8r, 0.9.8s, 0.9.8t, 0.9.8u, 0.9.8v, 0.9.8w, 0.9.8x, 0.9.8y, 0.9.8za, 1.0.0, 1.0.0a, 1.0.0b, 1.0.0c, 1.0.0d, 1.0.0e, 1.0.0f, 1.0.0g, 1.0.0h, 1.0.0i, 1.0.0j, 1.0.0k, 1.0.0l, 1.0.0m, 1.0.1, 1.0.1a, 1.0.1b, 1.0.1c, 1.0.1d, 1.0.1e, 1.0.1f, 1.0.1g, 1.0.1h

Vendor Advisories

Several security issues were fixed in OpenSSL ...
Multiple vulnerabilities have been identified in OpenSSL, a Secure Sockets Layer toolkit, that may result in denial of service (application crash, large memory consumption), information leak, protocol downgrade Additionally, a buffer overrun affecting only applications explicitly set up for SRP has been fixed (CVE-2014-3512) Detailed descriptions ...
A flaw was discovered in the way OpenSSL handled DTLS packets A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory Multiple buffer overflows in crypto/srp/srp_libc in the SRP implementation in OpenSSL 101 before 101i allow remote attackers to cause a denial of servi ...
Blue Coat products using affected versions of OpenSSL 098, 100, and 101 are vulnerable to one or more vulnerabilities A remote attacker may exploit these vulnerabilities to downgrade to TLS v10, leak information, write arbitrary data to memory, cause a buffer overflow, or cause a denial-of-service ...

Github Repositories

OVAL vulnerability scan The Red Hat Security Response Team provides OVAL definitions for all vulnerabilities (identified by CVE name) that affect RHEL This enables users to perform a vulnerability scan and diagnose whether the system is vulnerable This repo contains a script to download the latest OVAL definitions from Red Hat and perform a vulnerability scan against a system

References

NVD-CWE-Otherftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.aschttp://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.aschttp://linux.oracle.com/errata/ELSA-2014-1052.htmlhttp://linux.oracle.com/errata/ELSA-2014-1053.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://lists.opensuse.org/opensuse-updates/2014-08/msg00036.htmlhttp://marc.info/?l=bugtraq&m=140853041709441&w=2http://marc.info/?l=bugtraq&m=141077370928502&w=2http://marc.info/?l=bugtraq&m=142660345230545&w=2http://rhn.redhat.com/errata/RHSA-2014-1256.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1297.htmlhttp://secunia.com/advisories/58962http://secunia.com/advisories/59221http://secunia.com/advisories/59700http://secunia.com/advisories/59710http://secunia.com/advisories/59743http://secunia.com/advisories/59756http://secunia.com/advisories/60022http://secunia.com/advisories/60221http://secunia.com/advisories/60493http://secunia.com/advisories/60684http://secunia.com/advisories/60687http://secunia.com/advisories/60778http://secunia.com/advisories/60803http://secunia.com/advisories/60824http://secunia.com/advisories/60917http://secunia.com/advisories/60921http://secunia.com/advisories/60938http://secunia.com/advisories/61040http://secunia.com/advisories/61100http://secunia.com/advisories/61184http://secunia.com/advisories/61250http://secunia.com/advisories/61775http://secunia.com/advisories/61959http://security.gentoo.org/glsa/glsa-201412-39.xmlhttp://support.f5.com/kb/en-us/solutions/public/15000/500/sol15573.htmlhttp://www.debian.org/security/2014/dsa-2998http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htmhttp://www.mandriva.com/security/advisories?name=MDVSA-2014:158http://www.securityfocus.com/bid/69081http://www.securitytracker.com/id/1030693http://www-01.ibm.com/support/docview.wss?uid=nas8N1020240http://www-01.ibm.com/support/docview.wss?uid=swg21682293http://www-01.ibm.com/support/docview.wss?uid=swg21683389http://www-01.ibm.com/support/docview.wss?uid=swg21686997https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=bff1ce4e6a1c57c3d0a5f9e4f85ba6385fccfe8bhttps://lists.balabit.hu/pipermail/syslog-ng-announce/2014-September/000196.htmlhttps://www.openssl.org/news/secadv_20140806.txthttps://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2014-3505http://tools.cisco.com/security/center/viewAlert.x?alertId=35204https://nvd.nist.govhttps://usn.ubuntu.com/2308-1/