CVE-2013-6450
First published: Wed Jan 01 2014(Updated: )
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openssl | 1.1.1w-0+deb11u1 1.1.1n-0+deb11u5 3.0.13-1~deb12u1 3.0.11-1~deb12u2 3.2.2-1 3.3.1-2 | |
| OpenSSL | =1.0.0 | |
| OpenSSL | =1.0.0-beta1 | |
| OpenSSL | =1.0.0-beta2 | |
| OpenSSL | =1.0.0-beta3 | |
| OpenSSL | =1.0.0-beta4 | |
| OpenSSL | =1.0.0-beta5 | |
| OpenSSL | =1.0.0a | |
| OpenSSL | =1.0.0b | |
| OpenSSL | =1.0.0c | |
| OpenSSL | =1.0.0d | |
| OpenSSL | =1.0.0e | |
| OpenSSL | =1.0.0f | |
| OpenSSL | =1.0.0g | |
| OpenSSL | =1.0.0h | |
| OpenSSL | =1.0.0i | |
| OpenSSL | =1.0.0j | |
| OpenSSL | =1.0.1 | |
| OpenSSL | =1.0.1-beta1 | |
| OpenSSL | =1.0.1-beta2 | |
| OpenSSL | =1.0.1-beta3 | |
| OpenSSL | =1.0.1a | |
| OpenSSL | =1.0.1b | |
| OpenSSL | =1.0.1c | |
| OpenSSL | =1.0.1d | |
| OpenSSL | =1.0.1e |
Remedy
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=34628967f1e65dc8f34e000f0f5518e21afbfc7b
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security-tracker.debian.org/tracker/CVE-2013-6450
- http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=34628967f1e65dc8f34e000f0f5518e21afbfc7b
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00031.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00032.html
- http://rhn.redhat.com/errata/RHSA-2014-0015.html
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://security.gentoo.org/glsa/glsa-201412-39.xml
- http://www-01.ibm.com/support/docview.wss?uid=isg400001841
- http://www-01.ibm.com/support/docview.wss?uid=isg400001843
- http://www.debian.org/security/2014/dsa-2833
- http://www.openssl.org/news/vulnerabilities.html
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securityfocus.com/bid/64618
- http://www.securitytracker.com/id/1029549
- http://www.securitytracker.com/id/1031594
- http://www.ubuntu.com/usn/USN-2079-1
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://puppet.com/security/cve/cve-2013-6450
- http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=34628967f1e65dc8f34e000f0f5518e21afbfc7b
Frequently Asked Questions
What is the severity of CVE-2013-6450?
CVE-2013-6450 is considered a high-severity vulnerability due to its potential for denial of service attacks.
How do I fix CVE-2013-6450?
To fix CVE-2013-6450, upgrade OpenSSL to version 1.0.0l or 1.0.1f or later versions.
Which versions of OpenSSL are affected by CVE-2013-6450?
CVE-2013-6450 affects OpenSSL versions 1.0.0 through 1.0.0h and versions 1.0.1 through 1.0.1e.
What types of attacks can exploit CVE-2013-6450?
CVE-2013-6450 can be exploited by man-in-the-middle attackers to trigger denial of service conditions.
Is there a workaround for CVE-2013-6450?
There are no known effective workarounds for CVE-2013-6450; upgrading is the recommended solution.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/author
- agent/remedy
- agent/description
- agent/first-publish-date
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/openssl
- canonical/openssl
- version/openssl/1.0.0
- version/openssl/1.0.0-beta1
- version/openssl/1.0.0-beta2
- version/openssl/1.0.0-beta3
- version/openssl/1.0.0-beta4
- version/openssl/1.0.0-beta5
- version/openssl/1.0.0a
- version/openssl/1.0.0b
- version/openssl/1.0.0c
- version/openssl/1.0.0d
- version/openssl/1.0.0e
- version/openssl/1.0.0f
- version/openssl/1.0.0g
- version/openssl/1.0.0h
- version/openssl/1.0.0i
- version/openssl/1.0.0j
- version/openssl/1.0.1
- version/openssl/1.0.1-beta1
- version/openssl/1.0.1-beta2
- version/openssl/1.0.1-beta3
- version/openssl/1.0.1a
- version/openssl/1.0.1b
- version/openssl/1.0.1c
- version/openssl/1.0.1d
- version/openssl/1.0.1e