CVE-2014-0224CVE-2014-0224

Affected configuration(s):

cpe:/a:openssl:openssl:0.9.8
cpe:/a:openssl:openssl:0.9.8a
cpe:/a:openssl:openssl:0.9.8b
cpe:/a:openssl:openssl:0.9.8c
cpe:/a:openssl:openssl:0.9.8d
cpe:/a:openssl:openssl:0.9.8e
cpe:/a:openssl:openssl:0.9.8f
cpe:/a:openssl:openssl:0.9.8g
cpe:/a:openssl:openssl:0.9.8h
cpe:/a:openssl:openssl:0.9.8i
cpe:/a:openssl:openssl:0.9.8j
cpe:/a:openssl:openssl:0.9.8k
cpe:/a:openssl:openssl:0.9.8l
cpe:/a:openssl:openssl:0.9.8m
cpe:/a:openssl:openssl:0.9.8m:beta1
cpe:/a:openssl:openssl:0.9.8n
cpe:/a:openssl:openssl:0.9.8o
cpe:/a:openssl:openssl:0.9.8p
cpe:/a:openssl:openssl:0.9.8q
cpe:/a:openssl:openssl:0.9.8r
cpe:/a:openssl:openssl:0.9.8s
cpe:/a:openssl:openssl:0.9.8t
cpe:/a:openssl:openssl:0.9.8u
cpe:/a:openssl:openssl:0.9.8v
cpe:/a:openssl:openssl:0.9.8w
cpe:/a:openssl:openssl:0.9.8x
cpe:/a:openssl:openssl:0.9.8y
cpe:/a:openssl:openssl:1.0.0
cpe:/a:openssl:openssl:1.0.0:beta1
cpe:/a:openssl:openssl:1.0.0:beta2
cpe:/a:openssl:openssl:1.0.0:beta3
cpe:/a:openssl:openssl:1.0.0:beta4
cpe:/a:openssl:openssl:1.0.0:beta5
cpe:/a:openssl:openssl:1.0.0a
cpe:/a:openssl:openssl:1.0.0b
cpe:/a:openssl:openssl:1.0.0c
cpe:/a:openssl:openssl:1.0.0d
cpe:/a:openssl:openssl:1.0.0e
cpe:/a:openssl:openssl:1.0.0f
cpe:/a:openssl:openssl:1.0.0g
cpe:/a:openssl:openssl:1.0.0h
cpe:/a:openssl:openssl:1.0.0i
cpe:/a:openssl:openssl:1.0.0j
cpe:/a:openssl:openssl:1.0.0k
cpe:/a:openssl:openssl:1.0.0l
cpe:/a:openssl:openssl:1.0.1
cpe:/a:openssl:openssl:1.0.1:beta1
cpe:/a:openssl:openssl:1.0.1:beta2
cpe:/a:openssl:openssl:1.0.1:beta3
cpe:/a:openssl:openssl:1.0.1a
cpe:/a:openssl:openssl:1.0.1b
cpe:/a:openssl:openssl:1.0.1c
cpe:/a:openssl:openssl:1.0.1d
cpe:/a:openssl:openssl:1.0.1e
cpe:/a:openssl:openssl:1.0.1f
cpe:/a:openssl:openssl:1.0.1g
cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0
cpe:/a:redhat:jboss_enterprise_application_platform:6.2.3
cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0
cpe:/a:redhat:jboss_enterprise_web_server:2.0.1
cpe:/a:redhat:storage:2.1
cpe:/o:fedoraproject:fedora
cpe:/o:novell:opensuse:13.1
cpe:/o:novell:opensuse:13.2
cpe:/o:redhat:enterprise_linux:4
cpe:/o:redhat:enterprise_linux:5
cpe:/o:redhat:enterprise_linux:6

Date published: 2014-06-05T17:55:07.817-04:00

Date last modified: 2017-10-19T21:29:02.830-04:00

CVSS Score: 6.8

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://aix.software.ibm.com/aix/efixes/security/openssl_advisory9.asc

Summary: OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the “CCS Injection” vulnerability.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.