CVE-2014-0195

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8za OpenSSL versions prior to 1.0.0m OpenSSL versions prior to 1.0.1h openssl (prior to version 1.0.1h-r1)

Description The issue is related to multiple vulnerabilities in the OpenSSL package, which can lead to disruption of confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be done remotely. The dtls1 reassemble fragment function in d1 both.c does not properly validate fragment lengths in DTLS ClientHello messages, allowing remote attackers to execute arbitrary code or cause a denial of service.

Recommendations For versions prior to 0.9.8za, update to version 0.9.8za or later. For versions prior to 1.0.0m, update to version 1.0.0m or later. For versions prior to 1.0.1h, update to version 1.0.1h or later. For openssl prior to version 1.0.1h-r1, update to version 1.0.1h-r1 or later. As a temporary workaround, consider disabling the dtls1 reassemble fragment function until a patch is available. Restrict access to the DTLS ClientHello messages to minimize the risk of exploitation. Avoid using the dtls1 reassemble fragment function in the affected API endpoint until the issue is resolved.