[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

ALAS-2014-349 ---- openssl

ID: oval:org.secpod.oval:def:1600028Date: (C)2016-01-07   (M)2017-10-27
Class: PATCHFamily: unix




It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server. Note: In order to exploit this flaw, both the server and the client must be using a vulnerable version of OpenSSL; the server must be using OpenSSL version 1.0.1 and above, and the client must be using any version of OpenSSL.A buffer overflow flaw was found in the way OpenSSL handled invalid DTLS packet fragments. A remote attacker could possibly use this flaw to execute arbitrary code on a DTLS client or server. Multiple flaws were found in the way OpenSSL handled read and write buffers when the SSL_MODE_RELEASE_BUFFERS mode was enabled. A TLS/SSL client or server using OpenSSL could crash or unexpectedly drop connections when processing certain SSL traffic. A denial of service flaw was found in the way OpenSSL handled certain DTLS ServerHello requests. A specially crafted DTLS handshake packet could cause a DTLS client using OpenSSL to crash. A NULL pointer dereference flaw was found in the way OpenSSL performed anonymous Elliptic Curve Diffie Hellman key exchange. A specially crafted handshake packet could cause a TLS/SSL client that has the anonymous ECDH cipher suite enabled to crash. An integer underflow flaw, leading to a heap-based buffer overflow, was found in the way OpenSSL decoded certain base64 strings. A remote attacker could provide a specially crafted base64 string via certain PEM processing routines that, when parsed by the OpenSSL library, would cause the OpenSSL server to crash

Platform:
Amazon Linux AMI
Product:
openssl
Reference:
ALAS-2014-349
CVE-2015-0292
CVE-2014-0221
CVE-2014-0198
CVE-2014-0224
CVE-2010-5298
CVE-2014-3470
CVE-2014-0195
CVE    7
CVE-2014-0195
CVE-2014-3470
CVE-2015-0292
CVE-2014-0198
...
CPE    121
cpe:/o:amazon:linux
cpe:/a:openssl:openssl:0.9.8z
cpe:/o:redhat:enterprise_linux:5
cpe:/o:redhat:enterprise_linux:6
...

© 2013 SecPod Technologies