| VID |
22626 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server is running a version of OpenSSL 0.9.8 prior to 0.9.8za. The OpenSSL library is, therefore, reportedly affected by the following vulnerabilities :
- An error exists related to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) that could allow nonce disclosure via the 'FLUSH+RELOAD' cache side-channel attack. (CVE-2014-0076)
- A buffer overflow error exists related to invalid DTLS fragment handling that could lead to execution of arbitrary code. Note this issue only affects OpenSSL when used as a DTLS client or server. (CVE-2014-0195)
- An error exists related to DTLS handshake handling that could lead to denial of service attacks. (CVE-2014-0221)
- An unspecified error exists that could allow an attacker to cause usage of weak keying material leading to simplified man-in-the-middle attacks. (CVE-2014-0224)
- An unspecified error exists related to anonymous ECDH ciphersuites that could allow denial of service attacks. (CVE-2014-3470)
* References:
http://www.openssl.org/news/vulnerabilities.html#2014-0076
http://www.openssl.org/news/vulnerabilities.html#CVE-2014-0221
http://www.openssl.org/news/vulnerabilities.html#CVE-2014-0224
http://www.openssl.org/news/vulnerabilities.html#CVE-2014-3470
http://www.openssl.org/news/secadv_20140605.txt
* Platforms Affected:
OpenSSL 0.9.8 prior to 0.9.8za
Linux Any version
Unix Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of OpenSSL (0.9.8za or later), available from the OpenSSL Web site at http://www.openssl.org/ |
| Related URL |
CVE-2014-0076,CVE-2014-0195,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470 (CVE) |
| Related URL |
66363,67898,67899,67900,67901 (SecurityFocus) |
| Related URL |
(ISS) |
|
