CVE-2013-4353: Input Validation
First published: Mon Jan 06 2014(Updated: )
A flaw was found in the way OpenSSL handled TLS handshakes. A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. This flaw only affects OpenSSL versions 1.0.1 through 1.0.1e; earlier versions are not affected and this is corrected in upstream version 1.0.1f [1],[2]. [1] <a href="http://www.openssl.org/news/vulnerabilities.html#2013-4353">http://www.openssl.org/news/vulnerabilities.html#2013-4353</a> [2] <a href="http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=197e0ea817ad64820789d86711d55ff50d71f631">http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=197e0ea817ad64820789d86711d55ff50d71f631</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openssl | <1.0.1 | 1.0.1 |
| OpenSSL libcrypto | =1.0.1 | |
| OpenSSL libcrypto | =1.0.1-beta1 | |
| OpenSSL libcrypto | =1.0.1-beta2 | |
| OpenSSL libcrypto | =1.0.1-beta3 | |
| OpenSSL libcrypto | =1.0.1a | |
| OpenSSL libcrypto | =1.0.1b | |
| OpenSSL libcrypto | =1.0.1c | |
| OpenSSL libcrypto | =1.0.1d | |
| OpenSSL libcrypto | =1.0.1e |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openssl.org/news/vulnerabilities.html#2013-4353
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=197e0ea817ad64820789d86711d55ff50d71f631
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1049061
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1049062
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ee2ffc2
- https://rhn.redhat.com/errata/RHBA-2013-1585.html
- https://rhn.redhat.com/errata/RHSA-2014-0015.html
- https://rhn.redhat.com/errata/RHSA-2014-0041.html
- https://rhn.redhat.com/errata/RHSA-2014-0416.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1049058
- http://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=refs/heads/OpenSSL_1_0_1-stable
- http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=197e0ea817ad64820789d86711d55ff50d71f631
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00065.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00067.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00070.html
- http://rhn.redhat.com/errata/RHSA-2014-0015.html
- http://rhn.redhat.com/errata/RHSA-2014-0041.html
- http://www-01.ibm.com/support/docview.wss?uid=isg400001841
- http://www-01.ibm.com/support/docview.wss?uid=isg400001843
- http://www.debian.org/security/2014/dsa-2837
- http://www.openssl.org/news/vulnerabilities.html
- http://www.splunk.com/view/SP-CAAAMB3
- http://www.ubuntu.com/usn/USN-2079-1
- http://git.openssl.org/gitweb/?p=openssl.git%3Ba=blob_plain%3Bf=CHANGES%3Bhb=refs/heads/OpenSSL_1_0_1-stable
- http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=197e0ea817ad64820789d86711d55ff50d71f631
Frequently Asked Questions
What is the severity of CVE-2013-4353?
CVE-2013-4353 is categorized as a medium severity vulnerability due to the potential for denial of service caused by a NULL pointer exception during TLS handshakes.
How do I fix CVE-2013-4353?
To fix CVE-2013-4353, upgrade OpenSSL to version 1.0.1f or later.
Which versions of OpenSSL are affected by CVE-2013-4353?
CVE-2013-4353 affects OpenSSL versions 1.0.1 through 1.0.1e.
What type of vulnerability is CVE-2013-4353?
CVE-2013-4353 is a denial of service vulnerability associated with improper handling during TLS handshakes.
Is there a workaround for CVE-2013-4353?
There are no effective workarounds for CVE-2013-4353; upgrading to the fixed version is recommended.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/references
- agent/author
- agent/event
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4353
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/openssl
- canonical/openssl libcrypto
- version/openssl libcrypto/1.0.1
- version/openssl libcrypto/1.0.1-beta1
- version/openssl libcrypto/1.0.1-beta2
- version/openssl libcrypto/1.0.1-beta3
- version/openssl libcrypto/1.0.1a
- version/openssl libcrypto/1.0.1b
- version/openssl libcrypto/1.0.1c
- version/openssl libcrypto/1.0.1d
- version/openssl libcrypto/1.0.1e