CVE-2014-3571

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8 through 0.9.8zd OpenSSL versions 1.0.0 through 1.0.0p OpenSSL versions 1.0.1 through 1.0.1k

Description The issue allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1 get record function in d1 pkt.c and the ssl3 read n function in s3 pkt.c. This can lead to disruption of protected information availability. The exploitation can be carried out remotely.

Recommendations For versions 0.9.8 through 0.9.8zd, update to version 0.9.8zd or later. For versions 1.0.0 through 1.0.0p, update to version 1.0.0p or later. For versions 1.0.1 through 1.0.1k, update to version 1.0.1k or later. As a temporary workaround, consider restricting access to DTLS messages to minimize the risk of exploitation.