Vulnerability Name:
CVE-2014-3488 (CCN-95285)
Assigned:
2014-07-29
Published:
2014-07-29
Updated:
2020-02-19
Summary:
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CVSS v3 Severity:
5.3 Medium
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Low
CVSS v2 Severity:
5.0 Medium
(CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
)
3.7 Low
(Temporal CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Partial
5.0 Medium
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
)
3.7 Low
(CCN Temporal CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Partial
Vulnerability Type:
CWE-119
Vulnerability Consequences:
Denial of Service
References:
Source: MITRE
Type: CNA
CVE-2014-3488
Source: CCN
Type: Netty Web site
Netty
Source: CONFIRM
Type: Vendor Advisory
http://netty.io/news/2014/06/11/3-9-2-Final.html
Source: SECUNIA
Type: UNKNOWN
59196
Source: CCN
Type: BID-68999
Netty 'SSLv2Hello' Message Denial of Service Vulnerability
Source: XF
Type: UNKNOWN
netty-cve20143488-dos(95285)
Source: CONFIRM
Type: UNKNOWN
https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994
Source: CONFIRM
Type: Exploit, Patch
https://github.com/netty/netty/issues/2562
Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20200219 [SECURITY] [DLA 2110-1] netty-3.9 security update
Source: CCN
Type: IBM Security Bulletin 6198380 (DB2 for Linux- UNIX and Windows)
Multiple vulnerabilities in dependent libraries affect IBM Db2 leading to denial of service or privilege escalation.
Source: CCN
Type: IBM Security Bulletin 6210366 (Monitoring)
Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product
Source: CCN
Type: IBM Security Bulletin 6444895 (Db2 Warehouse)
IBM Db2 Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2
Source: CCN
Type: IBM Security Bulletin 6520510 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities
Source: CCN
Type: IBM Security Bulletin 6605881 (PureData System for Operational Analytics)
Multiple security vulnerabilities have been identified in IBM DB2 shipped with IBM PureData System for Operational Analytics
Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-3488
Vulnerable Configuration:
Configuration 1
:
cpe:/a:netty:netty:3.6.0:-:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.6.1:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.6.2:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.6.3:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.6.4:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.6.5:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.6.6:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.6.7:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.6.8:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.7.0:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.8.0:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.8.1:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.9.0:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:3.9.1:*:*:*:*:*:*:*
OR
cpe:/a:netty:netty:*:*:*:*:*:*:*:*
(Version <= 3.9.1.1)
Configuration CCN 1
:
cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:*
OR
cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:*
OR
cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:*
OR
cpe:/a:ibm:monitoring:8.1.4:*:*:*:*:*:*:*
OR
cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:*
OR
cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:*
OR
cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:*
OR
cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:*
OR
cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:*
OR
cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:*
OR
cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:*
OR
cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:*
OR
cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:*
OR
cpe:/a:ibm:cognos_analytics:11.2.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:cognos_analytics:11.1.7:-:*:*:*:*:*:*
Denotes that component is vulnerable
Oval Definitions
Definition ID
Class
Title
Last Modified
oval:com.ubuntu.precise:def:20143488000
V
CVE-2014-3488 on Ubuntu 12.04 LTS (precise) - medium.
2014-07-31
oval:com.ubuntu.trusty:def:20143488000
V
CVE-2014-3488 on Ubuntu 14.04 LTS (trusty) - medium.
2014-07-31
BACK
netty
netty 3.6.0
netty
netty 3.6.1
netty
netty 3.6.2
netty
netty 3.6.3
netty
netty 3.6.4
netty
netty 3.6.5
netty
netty 3.6.6
netty
netty 3.6.7
netty
netty 3.6.8
netty
netty 3.7.0
netty
netty 3.8.0
netty
netty 3.8.1
netty
netty 3.9.0
netty
netty 3.9.1
netty
netty *
ibm
db2 11.1
ibm
db2 11.1
ibm
db2 11.1
ibm
monitoring 8.1.4
ibm
db2 11.1
ibm
db2 11.1
ibm
db2 11.1
ibm
db2 11.5
ibm
db2 11.5
ibm
db2 11.5
ibm
db2 11.5
ibm
db2 11.5
ibm
db2 11.5
ibm
cognos analytics 11.2.0
ibm
cognos analytics 11.1.7
Denotes that component is vulnerable