CVE-2014-3470

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8za OpenSSL versions prior to 1.0.0m OpenSSL versions prior to 1.0.1h libopenssl1 0 0 versions (affected versions not specified) libopenssl1 0 0-debuginfo versions (affected versions not specified) libopenssl1 0 0-debuginfo-x86 versions (affected versions not specified) libopenssl1 0 0-debuginfo-32bit versions (affected versions not specified) libopenssl-devel versions (affected versions not specified) libopenssl-devel-32bit versions (affected versions not specified) libopenssl0 9 8-hmac versions (affected versions not specified) libopenssl0 9 8-hmac-32bit versions (affected versions not specified) openssl-debugsource versions (affected versions not specified) openssl-debuginfo versions (affected versions not specified) openssl-doc versions (affected versions not specified)

Description The issue allows remote attackers to cause a denial of service by triggering a NULL certificate value when an anonymous ECDH cipher suite is used. This can lead to a NULL pointer dereference and client crash. The vulnerability can be exploited remotely, potentially disrupting the confidentiality, integrity, and availability of protected information.

Recommendations For OpenSSL versions prior to 0.9.8za, update to version 0.9.8za or later. For OpenSSL versions prior to 1.0.0m, update to version 1.0.0m or later. For OpenSSL versions prior to 1.0.1h, update to version 1.0.1h or later. For libopenssl1 0 0, libopenssl1 0 0-debuginfo, libopenssl1 0 0-debuginfo-x86, libopenssl1 0 0-debuginfo-32bit, libopenssl-devel, libopenssl-devel-32bit, libopenssl0 9 8-hmac, libopenssl0 9 8-hmac-32bit, openssl-debugsource, openssl-debuginfo, and openssl-doc, update to a version that is not affected by this issue, as the specific affected versions are not specified. As a temporary workaround, consider disabling the use of anonymous ECDH cipher suites in OpenSSL clients until a patch is available.