CVE-2014-8564
First published: Fri Nov 07 2014(Updated: )
IssueDescription: An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR). A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/gnutls | <3.1.28 | 3.1.28 |
| redhat/gnutls | <3.2.20 | 3.2.20 |
| redhat/gnutls | <3.3.10 | 3.3.10 |
| GnuTLS | =3.0 | |
| GnuTLS | =3.0.0 | |
| GnuTLS | =3.0.1 | |
| GnuTLS | =3.0.2 | |
| GnuTLS | =3.0.3 | |
| GnuTLS | =3.0.4 | |
| GnuTLS | =3.0.5 | |
| GnuTLS | =3.0.6 | |
| GnuTLS | =3.0.7 | |
| GnuTLS | =3.0.8 | |
| GnuTLS | =3.0.9 | |
| GnuTLS | =3.0.10 | |
| GnuTLS | =3.0.11 | |
| GnuTLS | =3.0.12 | |
| GnuTLS | =3.0.13 | |
| GnuTLS | =3.0.14 | |
| GnuTLS | =3.0.15 | |
| GnuTLS | =3.0.16 | |
| GnuTLS | =3.0.17 | |
| GnuTLS | =3.0.18 | |
| GnuTLS | =3.0.19 | |
| GnuTLS | =3.0.20 | |
| GnuTLS | =3.0.21 | |
| GnuTLS | =3.0.22 | |
| GnuTLS | =3.0.23 | |
| GnuTLS | =3.0.24 | |
| GnuTLS | =3.0.25 | |
| GnuTLS | =3.0.26 | |
| GnuTLS | =3.0.27 | |
| GnuTLS | =3.0.28 | |
| GnuTLS | =3.1.0 | |
| GnuTLS | =3.1.1 | |
| GnuTLS | =3.1.2 | |
| GnuTLS | =3.1.3 | |
| GnuTLS | =3.1.4 | |
| GnuTLS | =3.1.5 | |
| GnuTLS | =3.1.6 | |
| GnuTLS | =3.1.7 | |
| GnuTLS | =3.1.8 | |
| GnuTLS | =3.1.9 | |
| GnuTLS | =3.1.10 | |
| GnuTLS | =3.1.11 | |
| GnuTLS | =3.1.12 | |
| GnuTLS | =3.1.13 | |
| GnuTLS | =3.1.14 | |
| GnuTLS | =3.1.15 | |
| GnuTLS | =3.1.16 | |
| GnuTLS | =3.1.17 | |
| GnuTLS | =3.1.18 | |
| GnuTLS | =3.1.19 | |
| GnuTLS | =3.1.20 | |
| GnuTLS | =3.1.21 | |
| GnuTLS | =3.1.22 | |
| GnuTLS | =3.1.23 | |
| GnuTLS | =3.1.24 | |
| GnuTLS | =3.1.25 | |
| GnuTLS | =3.1.26 | |
| GnuTLS | =3.1.27 | |
| GnuTLS | =3.2.0 | |
| GnuTLS | =3.2.1 | |
| GnuTLS | =3.2.2 | |
| GnuTLS | =3.2.3 | |
| GnuTLS | =3.2.4 | |
| GnuTLS | =3.2.5 | |
| GnuTLS | =3.2.6 | |
| GnuTLS | =3.2.7 | |
| GnuTLS | =3.2.8 | |
| GnuTLS | =3.2.8.1 | |
| GnuTLS | =3.2.9 | |
| GnuTLS | =3.2.10 | |
| GnuTLS | =3.2.11 | |
| GnuTLS | =3.2.12 | |
| GnuTLS | =3.2.12.1 | |
| GnuTLS | =3.2.13 | |
| GnuTLS | =3.2.14 | |
| GnuTLS | =3.2.15 | |
| GnuTLS | =3.2.16 | |
| GnuTLS | =3.2.17 | |
| GnuTLS | =3.2.18 | |
| GnuTLS | =3.2.19 | |
| GnuTLS | =3.3.0 | |
| GnuTLS | =3.3.0-pre0 | |
| GnuTLS | =3.3.1 | |
| GnuTLS | =3.3.2 | |
| GnuTLS | =3.3.3 | |
| GnuTLS | =3.3.4 | |
| GnuTLS | =3.3.5 | |
| GnuTLS | =3.3.6 | |
| GnuTLS | =3.3.7 | |
| GnuTLS | =3.3.8 | |
| GnuTLS | =3.3.9 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| SUSE Linux | =12.3 | |
| SUSE Linux | =13.1 | |
| SUSE Linux | =13.2 | |
| Ubuntu | =14.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=954810&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=954810&action=edit
- http://www.gnutls.org/security.html#GNUTLS-SA-2014-5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1162086
- https://gitorious.org/gnutls/gnutls/commit/7429872b74c8216bbf15e241e47aba94369ef083
- https://rhn.redhat.com/errata/RHSA-2014-1846.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1161443
- http://lists.opensuse.org/opensuse-updates/2014-11/msg00084.html
- http://rhn.redhat.com/errata/RHSA-2014-1846.html
- http://secunia.com/advisories/59991
- http://secunia.com/advisories/62284
- http://secunia.com/advisories/62294
- http://www.ubuntu.com/usn/USN-2403-1
Frequently Asked Questions
What is the severity of CVE-2014-8564?
CVE-2014-8564 is classified as a high severity vulnerability due to its potential to cause an out-of-bounds memory write.
How do I fix CVE-2014-8564?
To fix CVE-2014-8564, upgrade your GnuTLS to version 3.1.28, 3.2.20, or 3.3.10 or later.
What systems are affected by CVE-2014-8564?
CVE-2014-8564 affects various GnuTLS versions across different distributions including Red Hat and openSUSE.
What types of attacks exploit CVE-2014-8564?
CVE-2014-8564 can be exploited by attackers creating specially crafted ECC certificates or certificate signing requests.
Is there a patch available for CVE-2014-8564?
Yes, patches for CVE-2014-8564 are included in the updated GnuTLS versions that resolve the vulnerability.
- agent/type
- agent/first-publish-date
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-8564
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/gnu
- canonical/gnutls
- version/gnutls/3.0
- version/gnutls/3.0.0
- version/gnutls/3.0.1
- version/gnutls/3.0.2
- version/gnutls/3.0.3
- version/gnutls/3.0.4
- version/gnutls/3.0.5
- version/gnutls/3.0.6
- version/gnutls/3.0.7
- version/gnutls/3.0.8
- version/gnutls/3.0.9
- version/gnutls/3.0.10
- version/gnutls/3.0.11
- version/gnutls/3.0.12
- version/gnutls/3.0.13
- version/gnutls/3.0.14
- version/gnutls/3.0.15
- version/gnutls/3.0.16
- version/gnutls/3.0.17
- version/gnutls/3.0.18
- version/gnutls/3.0.19
- version/gnutls/3.0.20
- version/gnutls/3.0.21
- version/gnutls/3.0.22
- version/gnutls/3.0.23
- version/gnutls/3.0.24
- version/gnutls/3.0.25
- version/gnutls/3.0.26
- version/gnutls/3.0.27
- version/gnutls/3.0.28
- version/gnutls/3.1.0
- version/gnutls/3.1.1
- version/gnutls/3.1.2
- version/gnutls/3.1.3
- version/gnutls/3.1.4
- version/gnutls/3.1.5
- version/gnutls/3.1.6
- version/gnutls/3.1.7
- version/gnutls/3.1.8
- version/gnutls/3.1.9
- version/gnutls/3.1.10
- version/gnutls/3.1.11
- version/gnutls/3.1.12
- version/gnutls/3.1.13
- version/gnutls/3.1.14
- version/gnutls/3.1.15
- version/gnutls/3.1.16
- version/gnutls/3.1.17
- version/gnutls/3.1.18
- version/gnutls/3.1.19
- version/gnutls/3.1.20
- version/gnutls/3.1.21
- version/gnutls/3.1.22
- version/gnutls/3.1.23
- version/gnutls/3.1.24
- version/gnutls/3.1.25
- version/gnutls/3.1.26
- version/gnutls/3.1.27
- version/gnutls/3.2.0
- version/gnutls/3.2.1
- version/gnutls/3.2.2
- version/gnutls/3.2.3
- version/gnutls/3.2.4
- version/gnutls/3.2.5
- version/gnutls/3.2.6
- version/gnutls/3.2.7
- version/gnutls/3.2.8
- version/gnutls/3.2.8.1
- version/gnutls/3.2.9
- version/gnutls/3.2.10
- version/gnutls/3.2.11
- version/gnutls/3.2.12
- version/gnutls/3.2.12.1
- version/gnutls/3.2.13
- version/gnutls/3.2.14
- version/gnutls/3.2.15
- version/gnutls/3.2.16
- version/gnutls/3.2.17
- version/gnutls/3.2.18
- version/gnutls/3.2.19
- version/gnutls/3.3.0
- version/gnutls/3.3.0-pre0
- version/gnutls/3.3.1
- version/gnutls/3.3.2
- version/gnutls/3.3.3
- version/gnutls/3.3.4
- version/gnutls/3.3.5
- version/gnutls/3.3.6
- version/gnutls/3.3.7
- version/gnutls/3.3.8
- version/gnutls/3.3.9
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0
- vendor/opensuse
- canonical/suse linux
- version/suse linux/12.3
- version/suse linux/13.1
- version/suse linux/13.2
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.10