-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2014-053 Title: Multiple Vulnerabilities in OpenSSL [1] Version history: 05.06.2014 Initial version Summary ======= Several vulnerabilities have been discovered in OpenSSL library. They affect both server and client installations and vary in terms of criticality. Some may allow the man-in-the-middle attacks, and other potentially allow for remote code execution. CVE numbers: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470 Affected Versions ================= All versions prior to: 1.0.0m, 1.0.1h, 0.9.8za Original Details ================ CVE-2014-0224: An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. CVE-2014-0221: By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. CVE-2014-0195: A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. CVE-2014-0198: A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. CVE-2010-5298: A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common. CVE-2014-3470: OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack. What can you do? ================ Update to one of the newest versions: 1.0.0m, 1.0.1h, 0.9.8za What to tell your users ======================= N/A More information ================ [1] https://www.openssl.org/news/secadv_20140605.txt Best regards, CERT-EU Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJTkJQiAAoJEPpzpNLI8SVo3IYP/jpVOfOdvE0WKEkuxZzoxWpT uGLSw1sLA93g5Pnl5wSIyyDUfNUysKyUiCp/FebB/FvoJ+LN0LrihHk+oPzScw2d lipqiMc3hh6Dy2qah+A0Ds/gaFfxY+CU0EB/GVB+rGeGbQ3hqytwjXuP9dfIV30N gMh+IP0d1AdvYaDQ7x0HClDog+0I7lMdNJ4kokGtQ0GHOihm2x+YCDsJfuAPZJsg Hq+47y9CIuRqxwOuKpic6F2IxEiBFAWDtJKEFRo+hj0IPlhRl1CdQaycAEJfxGTu WqL+gum5cHkcgzRSpW3KpMDm67sD1ptIrj5+wEZ0UvMcrASVab2pFZDJGPS3yAfw 51ZlRRlF3/k2OBGPSNoCDj3DjgQc2TxE7UyG5NUAiYv2gf2Qq1+9sz3hqdEkEJNG Kq/DjxCSLyjJ4/VQOQqvZe9ZgqW2Vb1O6suolTEQBW/8tw3Oud0w8vfsEQ6HpPjP ZbFyzi/G9LC1PLTsrNxS/EepJGg90rIWn9/G1zdyJVLpB9dwbYsPvTCnusBwrGPc gJXdtOlS72kSTEQhXooRjPbwiCpyxlfYUHcIqYBMeiyv2WR5J3eukjS/Vj5/QDx1 CY9S+ctywSpgV6BLaauyre+yxjr1dCx9chQ85DI/lJbm6JWmVdNaP+1nhcer/Zk4 4qbxLoNTESbHRXbXznZ1 =OGER -----END PGP SIGNATURE-----