CVE-2014-3572

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 1.0.0p OpenSSL versions prior to 1.0.1k openssl-1.0.1e openssl-devel-1.0.1e openssl-static-1.0.1e openssl-libs-1.0.1e openssl-debuginfo-1.0.1e

Description The issue allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks, triggering a loss of forward secrecy by omitting the ServerKeyExchange message. This can lead to a violation of the confidentiality and integrity of protected information. The vulnerability can be exploited remotely.

Recommendations For versions prior to 1.0.0p, update to version 1.0.0p or later. For versions prior to 1.0.1k, update to version 1.0.1k or later. For openssl-1.0.1e, consider disabling the ssl3 get key exchange function as a temporary workaround until a patch is available. For openssl-devel-1.0.1e, restrict access to the vulnerable module to minimize the risk of exploitation. For openssl-static-1.0.1e, avoid using the ServerKeyExchange message in the affected API endpoint until the issue is resolved. For openssl-libs-1.0.1e and openssl-debuginfo-1.0.1e, update to a newer version that contains a fix for this issue.