CVE-2014-0224

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8za OpenSSL versions prior to 1.0.0m OpenSSL versions prior to 1.0.1h

Description The issue exists due to incorrect restriction of ChangeCipherSpec message processing in OpenSSL, allowing a man-in-the-middle attacker to trigger the use of a zero-length master key in certain OpenSSL-to-OpenSSL communications. This can lead to session hijacking or obtaining sensitive information via a crafted TLS handshake, also known as the "CCS Injection" vulnerability. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For OpenSSL versions prior to 0.9.8za, update to version 0.9.8za or later. For OpenSSL versions prior to 1.0.0m, update to version 1.0.0m or later. For OpenSSL versions prior to 1.0.1h, update to version 1.0.1h or later. As a temporary workaround, consider restricting the use of vulnerable OpenSSL components until a patch is available. Avoid using the ChangeCipherSpec message in affected API endpoints until the issue is resolved.