PT-2014-1691 · Openssl+8 · Openssl+8

Published

2014-10-15

·

Updated

2024-06-15

·

CVE-2014-3567

CVSS v2.0

7.1

High

VectorAV:N/AC:M/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zc OpenSSL versions prior to 1.0.0o OpenSSL versions prior to 1.0.1j
Description The issue is related to a memory leak in the tls decrypt ticket function, which can be exploited by remote attackers to cause a denial of service due to excessive memory consumption. This can be achieved by sending a specially crafted session ticket that triggers an integrity-check failure. The estimated number of potentially affected devices and details about real-world incidents are not provided.
Recommendations For OpenSSL versions prior to 0.9.8zc, update to version 0.9.8zc or later. For OpenSSL versions prior to 1.0.0o, update to version 1.0.0o or later. For OpenSSL versions prior to 1.0.1j, update to version 1.0.1j or later. As a temporary workaround, consider restricting access to the tls decrypt ticket function in the t1 lib.c file until a patch is available.

Exploit

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-399CWE-20

Related Identifiers

ALT-PU-2014-2312
BDU:2015-00640
BDU:2015-09775
CESA-2014_1652
CVE-2014-3567
DLA-81-1
DSA-3053-1
HPSBUX03162
MGASA-2014-0416
OPENSUSE-SU-2014_1331-1
OPENSUSE-SU-2016_0640-1
OPENSUSE-SU-2024:10271-1
OPENSUSE-SU-2024:10529-1
OPENSUSE-SU-2024:11127-1
RHSA-2014:1652
RHSA-2014:1692
RHSA-2014_1652
RHSA-2015:0126
SUSE-FU-2022:0445-1
SUSE-RU-2015:0769-1
SUSE-SU-2015:0545-1
SUSE-SU-2015:0545-2
SUSE-SU-2015:0546-1
SUSE-SU-2015:1182-1
SUSE-SU-2015:1182-2
SUSE-SU-2015:1184-1
SUSE-SU-2015:1184-2
SUSE-SU-2015:1185-1
SUSE-SU-403
USN-2385-1

Affected Products

Alt Linux
Centos
Hp-Ux
Ibm Aix
Openssl
Red Hat
Suse
Ubuntu
Vmware Vcenter