Vulnerability Name:

CVE-2014-3568

Assigned:2014-05-14
Published:2014-10-18
Updated:2017-11-14
Summary:OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
CVSS v3 Severity:3.7 Low (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-310
References:Source: NETBSD
Type: UNKNOWN
NetBSD-SA2014-015

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-01-27-4

Source: APPLE
Type: UNKNOWN
APPLE-SA-2015-09-16-2

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2014:1331

Source: SUSE
Type: UNKNOWN
SUSE-SU-2014:1357

Source: SUSE
Type: UNKNOWN
SUSE-SU-2014:1361

Source: SUSE
Type: UNKNOWN
SUSE-SU-2015:0578

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2016:0640

Source: HP
Type: UNKNOWN
HPSBUX03162

Source: HP
Type: UNKNOWN
SSRT101779

Source: HP
Type: UNKNOWN
SSRT101894

Source: HP
Type: UNKNOWN
HPSBMU03267

Source: HP
Type: UNKNOWN
HPSBMU03304

Source: HP
Type: UNKNOWN
HPSBHF03300

Source: HP
Type: UNKNOWN
HPSBMU03263

Source: HP
Type: UNKNOWN
HPSBMU03261

Source: GENTOO
Type: UNKNOWN
GLSA-201412-39

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/HT204244

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21686997

Source: DEBIAN
Type: UNKNOWN
DSA-3053

Source: BID
Type: UNKNOWN
70585

Source: SECTRACK
Type: UNKNOWN
1031053

Source: CONFIRM
Type: UNKNOWN
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6

Source: XF
Type: UNKNOWN
openssl-cve20143568-sec-bypass(97037)

Source: CONFIRM
Type: PATCH
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=26a59d9b46574e457870197dffa802871b4c8fc7

Source: CONFIRM
Type: UNKNOWN
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888

Source: CONFIRM
Type: UNKNOWN
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380

Source: CONFIRM
Type: UNKNOWN
https://kc.mcafee.com/corporate/index?page=content&id=SB10091

Source: CONFIRM
Type: UNKNOWN
https://support.apple.com/HT205217

Source: CONFIRM
Type: UNKNOWN
https://support.citrix.com/article/CTX216642

Source: CONFIRM
Type: VENDOR_ADVISORY
https://www.openssl.org/news/secadv_20141015.txt

Vulnerable Configuration:Configuration 1:
  • cpe:/a:openssl:openssl:0.9.8zb:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0m:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.0n:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*
  • OR cpe:/a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*

  • Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20143568
    V
    CVE-2014-3568
    2017-11-19
    oval:org.mitre.oval:def:27218
    V
    HP-UX Running OpenSSL, Remote Denial of Service (DoS), Unauthorized Access, Man-in-the-Middle (MitM) Attack
    2015-04-20
    oval:org.mitre.oval:def:28044
    P
    SUSE-SU-2014:1557-2 -- Security update for compat-openssl097g (moderate)
    2015-02-23
    oval:org.mitre.oval:def:28273
    P
    SUSE-SU-2014:1524-1 -- Security update for openssl (moderate)
    2015-01-26
    oval:org.mitre.oval:def:28380
    P
    SUSE-SU-2014:1361-1 -- Security update for OpenSSL (important)
    2015-01-26
    oval:org.mitre.oval:def:28457
    P
    SUSE-SU-2014:1387-1 -- Security update for OpenSSL (important)
    2015-01-26
    oval:org.mitre.oval:def:28223
    P
    SUSE-SU-2014:1386-1 -- Security update for OpenSSL (important)
    2015-01-26
    oval:org.mitre.oval:def:28481
    P
    SUSE-SU-2014:1512-1 -- Security update for compat-openssl098 (moderate)
    2015-01-26
    oval:org.mitre.oval:def:26548
    P
    DSA-3053-1 openssl - security update
    2014-11-24
    oval:com.ubuntu.precise:def:20143568000
    V
    CVE-2014-3568 on Ubuntu 12.04 LTS (precise) - low.
    2014-10-18
    oval:com.ubuntu.trusty:def:20143568000
    V
    CVE-2014-3568 on Ubuntu 14.04 LTS (trusty) - low.
    2014-10-18
    oval:com.ubuntu.xenial:def:20143568000
    V
    CVE-2014-3568 on Ubuntu 16.04 LTS (xenial) - low.
    2014-10-18
    BACK
    openssl openssl 0.9.8zb
    openssl openssl 1.0.0
    openssl openssl 1.0.0 beta1
    openssl openssl 1.0.0 beta2
    openssl openssl 1.0.0 beta3
    openssl openssl 1.0.0 beta4
    openssl openssl 1.0.0 beta5
    openssl openssl 1.0.0a
    openssl openssl 1.0.0b
    openssl openssl 1.0.0c
    openssl openssl 1.0.0d
    openssl openssl 1.0.0e
    openssl openssl 1.0.0f
    openssl openssl 1.0.0g
    openssl openssl 1.0.0h
    openssl openssl 1.0.0i
    openssl openssl 1.0.0j
    openssl openssl 1.0.0k
    openssl openssl 1.0.0l
    openssl openssl 1.0.0m
    openssl openssl 1.0.0n
    openssl openssl 1.0.1
    openssl openssl 1.0.1 beta1
    openssl openssl 1.0.1 beta2
    openssl openssl 1.0.1 beta3
    openssl openssl 1.0.1a
    openssl openssl 1.0.1b
    openssl openssl 1.0.1c
    openssl openssl 1.0.1d
    openssl openssl 1.0.1e
    openssl openssl 1.0.1f
    openssl openssl 1.0.1g
    openssl openssl 1.0.1h
    openssl openssl 1.0.1i