| VID |
22625 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server is running a version of OpenSSL 1.0.1 prior to 1.0.1h. The OpenSSL library is, therefore, reportedly affected by the following vulnerabilities :
- An error exists in the function 'ssl3_read_bytes' that could allow data to be injected into other sessions or allow denial of service attacks. (CVE-2010-5298)
- A buffer overflow error exists related to invalid DTLS fragment handling that could lead to execution of arbitrary code. (CVE-2014-0195)
- An error exists in the function 'do_ssl3_write' that could allow a null pointer to be dereferenced leading to denial of service attacks. (CVE-2014-0198)
- An error exists related to DTLS handshake handling that could lead to denial of service attacks. (CVE-2014-0221)
- An unspecified error exists that could allow an attacker to cause usage of weak keying material leading to simplified man-in-the-middle attacks. (CVE-2014-0224)
- An unspecified error exists related to anonymous ECDH ciphersuites that could allow denial of service attacks. (CVE-2014-3470)
* References:
http://www.openssl.org/news/vulnerabilities.html#CVE-2010-5298
http://www.openssl.org/news/vulnerabilities.html#CVE-2014-0198
http://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
http://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
http://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
http://www.openssl.org/news/secadv_20140605.txt
* Platforms Affected:
OpenSSL 1.0.1 prior to 1.0.1h
Linux Any version
Unix Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of OpenSSL (1.0.1h or later), available from the OpenSSL Web site at http://www.openssl.org/ |
| Related URL |
CVE-2010-5298,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470 (CVE) |
| Related URL |
66801,67193,67898,67899,67900,67901 (SecurityFocus) |
| Related URL |
(ISS) |
|
