Vulnerability Name:

CVE-2014-3567

Assigned:2014-05-14
Published:2014-10-15
Updated:2017-11-14
Summary:Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.
CVSS v3 Severity:5.9 Medium (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.1 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-399
CWE-401
References:Source: NETBSD
Type: UNKNOWN
NetBSD-SA2014-015

Source: CONFIRM
Type: UNKNOWN
http://advisories.mageia.org/MGASA-2014-0416.html

Source: CONFIRM
Type: UNKNOWN
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-01-27-4

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-09-16-2

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:1331

Source: SUSE
Type: UNKNOWN
SUSE-SU-2014:1357

Source: SUSE
Type: UNKNOWN
SUSE-SU-2014:1361

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2016:0640

Source: HP
Type: UNKNOWN
HPSBUX03162

Source: HP
Type: UNKNOWN
SSRT101779

Source: HP
Type: UNKNOWN
SSRT101868

Source: HP
Type: UNKNOWN
SSRT101894

Source: HP
Type: UNKNOWN
HPSBMU03267

Source: HP
Type: UNKNOWN
HPSBMU03304

Source: HP
Type: UNKNOWN
HPSBHF03300

Source: HP
Type: UNKNOWN
HPSBMU03296

Source: HP
Type: UNKNOWN
HPSBMU03263

Source: HP
Type: UNKNOWN
HPSBMU03261

Source: HP
Type: UNKNOWN
HPSBMU03223

Source: REDHAT
Type: UNKNOWN
RHSA-2014:1652

Source: REDHAT
Type: UNKNOWN
RHSA-2014:1692

Source: REDHAT
Type: UNKNOWN
RHSA-2015:0126

Source: GENTOO
Type: UNKNOWN
GLSA-201412-39

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/HT204244

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21686997

Source: DEBIAN
Type: UNKNOWN
DSA-3053

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2014:203

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2015:062

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Source: BID
Type: UNKNOWN
70586

Source: SECTRACK
Type: UNKNOWN
1031052

Source: CONFIRM
Type: UNKNOWN
http://www.splunk.com/view/SP-CAAANST

Source: UBUNTU
Type: UNKNOWN
USN-2385-1

Source: CONFIRM
Type: UNKNOWN
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6

Source: XF
Type: UNKNOWN
openssl-cve20143567-dos(97036)

Source: CONFIRM
Type: PATCH
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7fd4ce6a997be5f5c9e744ac527725c2850de203

Source: CONFIRM
Type: UNKNOWN
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888

Source: CONFIRM
Type: UNKNOWN
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380

Source: CONFIRM
Type: UNKNOWN
https://kc.mcafee.com/corporate/index?page=content&id=SB10091

Source: CONFIRM
Type: UNKNOWN
https://support.apple.com/HT205217

Source: CONFIRM
Type: UNKNOWN
https://support.citrix.com/article/CTX216642

Source: CONFIRM
Type: VENDOR_ADVISORY
https://www.openssl.org/news/secadv_20141015.txt

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openssl:openssl:0.9.8zb:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0m:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0n:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20143567
    V
    CVE-2014-3567
    2017-11-19
    oval:org.mitre.oval:def:26245
    V
    HP-UX Running OpenSSL, Remote Denial of Service (DoS), Unauthorized Access, Man-in-the-Middle (MitM) Attack
    2015-04-20
    oval:org.mitre.oval:def:27084
    P
    ELSA-2014-1652 -- openssl security update
    2015-02-23
    oval:org.mitre.oval:def:28273
    P
    SUSE-SU-2014:1524-1 -- Security update for openssl (moderate)
    2015-01-26
    oval:org.mitre.oval:def:28380
    P
    SUSE-SU-2014:1361-1 -- Security update for OpenSSL (important)
    2015-01-26
    oval:org.mitre.oval:def:28457
    P
    SUSE-SU-2014:1387-1 -- Security update for OpenSSL (important)
    2015-01-26
    oval:org.mitre.oval:def:28223
    P
    SUSE-SU-2014:1386-1 -- Security update for OpenSSL (important)
    2015-01-26
    oval:org.mitre.oval:def:28481
    P
    SUSE-SU-2014:1512-1 -- Security update for compat-openssl098 (moderate)
    2015-01-26
    oval:org.mitre.oval:def:26416
    V
    AIX OpenSSL Denial of Service due to memory consumption
    2014-12-15
    oval:org.mitre.oval:def:26548
    P
    DSA-3053-1 openssl - security update
    2014-11-24
    oval:org.mitre.oval:def:26829
    P
    RHSA-2014:1652: openssl security update (Important)
    2014-11-24
    oval:org.mitre.oval:def:27052
    P
    USN-2385-1 -- OpenSSL vulnerabilities
    2014-11-24
    oval:com.ubuntu.precise:def:20143567000
    V
    CVE-2014-3567 on Ubuntu 12.04 LTS (precise) - medium.
    2014-10-18
    oval:com.ubuntu.trusty:def:20143567000
    V
    CVE-2014-3567 on Ubuntu 14.04 LTS (trusty) - medium.
    2014-10-18
    oval:com.ubuntu.xenial:def:20143567000
    V
    CVE-2014-3567 on Ubuntu 16.04 LTS (xenial) - medium.
    2014-10-18
    oval:com.redhat.rhsa:def:20141652
    P
    RHSA-2014:1652: openssl security update (Important)
    2014-10-16
    BACK
    openssl openssl 0.9.8zb
    openssl openssl 1.0.0
    openssl openssl 1.0.0 beta1
    openssl openssl 1.0.0 beta2
    openssl openssl 1.0.0 beta3
    openssl openssl 1.0.0 beta4
    openssl openssl 1.0.0 beta5
    openssl openssl 1.0.0a
    openssl openssl 1.0.0b
    openssl openssl 1.0.0c
    openssl openssl 1.0.0d
    openssl openssl 1.0.0e
    openssl openssl 1.0.0f
    openssl openssl 1.0.0g
    openssl openssl 1.0.0h
    openssl openssl 1.0.0i
    openssl openssl 1.0.0j
    openssl openssl 1.0.0k
    openssl openssl 1.0.0l
    openssl openssl 1.0.0m
    openssl openssl 1.0.0n
    openssl openssl 1.0.1
    openssl openssl 1.0.1 beta1
    openssl openssl 1.0.1 beta2
    openssl openssl 1.0.1 beta3
    openssl openssl 1.0.1a
    openssl openssl 1.0.1b
    openssl openssl 1.0.1c
    openssl openssl 1.0.1d
    openssl openssl 1.0.1e
    openssl openssl 1.0.1f
    openssl openssl 1.0.1g
    openssl openssl 1.0.1h
    openssl openssl 1.0.1i
    redhat enterprise_linux 7
    redhat enterprise_linux 6