CVE-2014-3568
First published: Sun Oct 19 2014(Updated: )
OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL | <=0.9.8zb | |
| OpenSSL | =1.0.0 | |
| OpenSSL | =1.0.0-beta1 | |
| OpenSSL | =1.0.0-beta2 | |
| OpenSSL | =1.0.0-beta3 | |
| OpenSSL | =1.0.0-beta4 | |
| OpenSSL | =1.0.0-beta5 | |
| OpenSSL | =1.0.0a | |
| OpenSSL | =1.0.0b | |
| OpenSSL | =1.0.0c | |
| OpenSSL | =1.0.0d | |
| OpenSSL | =1.0.0e | |
| OpenSSL | =1.0.0f | |
| OpenSSL | =1.0.0g | |
| OpenSSL | =1.0.0h | |
| OpenSSL | =1.0.0i | |
| OpenSSL | =1.0.0j | |
| OpenSSL | =1.0.0k | |
| OpenSSL | =1.0.0l | |
| OpenSSL | =1.0.0m | |
| OpenSSL | =1.0.0n | |
| OpenSSL | =1.0.1 | |
| OpenSSL | =1.0.1-beta1 | |
| OpenSSL | =1.0.1-beta2 | |
| OpenSSL | =1.0.1-beta3 | |
| OpenSSL | =1.0.1a | |
| OpenSSL | =1.0.1b | |
| OpenSSL | =1.0.1c | |
| OpenSSL | =1.0.1d | |
| OpenSSL | =1.0.1e | |
| OpenSSL | =1.0.1f | |
| OpenSSL | =1.0.1g | |
| OpenSSL | =1.0.1h | |
| OpenSSL | =1.0.1i |
Remedy
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=26a59d9b46574e457870197dffa802871b4c8fc7
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
- http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
- http://marc.info/?l=bugtraq&m=141477196830952&w=2
- http://marc.info/?l=bugtraq&m=142103967620673&w=2
- http://marc.info/?l=bugtraq&m=142495837901899&w=2
- http://marc.info/?l=bugtraq&m=142624590206005&w=2
- http://marc.info/?l=bugtraq&m=142791032306609&w=2
- http://marc.info/?l=bugtraq&m=142804214608580&w=2
- http://marc.info/?l=bugtraq&m=143290437727362&w=2
- http://marc.info/?l=bugtraq&m=143290522027658&w=2
- http://secunia.com/advisories/59627
- http://secunia.com/advisories/61058
- http://secunia.com/advisories/61073
- http://secunia.com/advisories/61130
- http://secunia.com/advisories/61207
- http://secunia.com/advisories/61819
- http://secunia.com/advisories/61959
- http://secunia.com/advisories/62030
- http://secunia.com/advisories/62070
- http://secunia.com/advisories/62124
- http://security.gentoo.org/glsa/glsa-201412-39.xml
- http://support.apple.com/HT204244
- http://www-01.ibm.com/support/docview.wss?uid=swg21686997
- http://www.debian.org/security/2014/dsa-3053
- http://www.securityfocus.com/bid/70585
- http://www.securitytracker.com/id/1031053
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97037
- https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=26a59d9b46574e457870197dffa802871b4c8fc7
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
- https://kc.mcafee.com/corporate/index?page=content&id=SB10091
- https://support.apple.com/HT205217
- https://support.citrix.com/article/CTX216642
- https://www.openssl.org/news/secadv_20141015.txt
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=26a59d9b46574e457870197dffa802871b4c8fc7
Frequently Asked Questions
What is the severity of CVE-2014-3568?
CVE-2014-3568 is classified as a high severity vulnerability due to its potential for remote exploitation.
How do I fix CVE-2014-3568?
To fix CVE-2014-3568, upgrade OpenSSL to versions 0.9.8zc, 1.0.0o, or 1.0.1j or later.
What types of attacks can CVE-2014-3568 facilitate?
CVE-2014-3568 allows remote attackers to bypass SSL 3.0 access restrictions, leading to possible man-in-the-middle attacks.
Which versions of OpenSSL are affected by CVE-2014-3568?
CVE-2014-3568 affects OpenSSL versions prior to 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j.
Is CVE-2014-3568 still a concern for modern systems?
Yes, CVE-2014-3568 is still a concern for systems running vulnerable versions of OpenSSL, even if they are not frequently updated.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/openssl
- canonical/openssl
- version/openssl/0.9.8zb
- version/openssl/1.0.0
- version/openssl/1.0.0-beta1
- version/openssl/1.0.0-beta2
- version/openssl/1.0.0-beta3
- version/openssl/1.0.0-beta4
- version/openssl/1.0.0-beta5
- version/openssl/1.0.0a
- version/openssl/1.0.0b
- version/openssl/1.0.0c
- version/openssl/1.0.0d
- version/openssl/1.0.0e
- version/openssl/1.0.0f
- version/openssl/1.0.0g
- version/openssl/1.0.0h
- version/openssl/1.0.0i
- version/openssl/1.0.0j
- version/openssl/1.0.0k
- version/openssl/1.0.0l
- version/openssl/1.0.0m
- version/openssl/1.0.0n
- version/openssl/1.0.1
- version/openssl/1.0.1-beta1
- version/openssl/1.0.1-beta2
- version/openssl/1.0.1-beta3
- version/openssl/1.0.1a
- version/openssl/1.0.1b
- version/openssl/1.0.1c
- version/openssl/1.0.1d
- version/openssl/1.0.1e
- version/openssl/1.0.1f
- version/openssl/1.0.1g
- version/openssl/1.0.1h
- version/openssl/1.0.1i