Vulnerabilidad en OpenSSL (CVE-2014-3568)
Gravedad CVSS v2.0:
MEDIA
Tipo:
CWE-310
Errores criptográficos
Fecha de publicación:
19/10/2014
Última modificación:
07/11/2023
Descripción
OpenSSL anterior a 0.9.8zc, 1.0.0 anterior a 1.0.0o, y 1.0.1 anterior a 1.0.1j no fuerza correctamente la opción build no-ssl3, lo que permite a atacantes remotos evadir las restricciones de acceso a través de una negociación SSL 3.0, relacionado con s23_clnt.c y s23_srvr.c.
Impacto
Puntuación base 2.0
4.30
Gravedad 2.0
MEDIA
Productos y versiones vulnerables
CPE | Desde | Hasta |
---|---|---|
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 0.9.8zb (incluyendo) | |
cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
- http://marc.info/?l=bugtraq&m=141477196830952&w=2
- http://marc.info/?l=bugtraq&m=142103967620673&w=2
- http://marc.info/?l=bugtraq&m=142495837901899&w=2
- http://marc.info/?l=bugtraq&m=142624590206005&w=2
- http://marc.info/?l=bugtraq&m=142791032306609&w=2
- http://marc.info/?l=bugtraq&m=142804214608580&w=2
- http://marc.info/?l=bugtraq&m=143290437727362&w=2
- http://marc.info/?l=bugtraq&m=143290522027658&w=2
- http://secunia.com/advisories/59627
- http://secunia.com/advisories/61058
- http://secunia.com/advisories/61073
- http://secunia.com/advisories/61130
- http://secunia.com/advisories/61207
- http://secunia.com/advisories/61819
- http://secunia.com/advisories/61959
- http://secunia.com/advisories/62030
- http://secunia.com/advisories/62070
- http://secunia.com/advisories/62124
- http://security.gentoo.org/glsa/glsa-201412-39.xml
- http://support.apple.com/HT204244
- http://www-01.ibm.com/support/docview.wss?uid=swg21686997
- http://www.debian.org/security/2014/dsa-3053
- http://www.securityfocus.com/bid/70585
- http://www.securitytracker.com/id/1031053
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97037
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba%3Dcommit%3Bh%3D26a59d9b46574e457870197dffa802871b4c8fc7
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
- https://kc.mcafee.com/corporate/index?page=content&id=SB10091
- https://support.apple.com/HT205217
- https://support.citrix.com/article/CTX216642
- https://www.openssl.org/news/secadv_20141015.txt