SB2014091204 - Multiple vulnerabilities in HP OpenVMS running OpenSSL 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014091204

SB2014091204 - Multiple vulnerabilities in HP OpenVMS running OpenSSL

Published: September 12, 2014 Updated: April 26, 2023

Security Bulletin ID SB2014091204
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2014-3505)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (application crash) via crafted DTLS packets that trigger an error condition.


2) Resource management error (CVE-ID: CVE-2014-3506)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via crafted DTLS handshake messages that trigger memory allocations corresponding to large length values.


3) Memory leak (CVE-ID: CVE-2014-3507)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within d1_both.c in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i allows remote attackers to cause a denial of service (memory consumption) via zero-length DTLS fragments that trigger improper handling of the return value of a certain insert function. A remote attacker can perform a denial of service attack.


4) Information disclosure (CVE-ID: CVE-2014-3508)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.


5) Input validation error (CVE-ID: CVE-2014-3510)

The vulnerability allows remote DTLS servers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (NULL pointer dereference and client application crash) via a crafted handshake message in conjunction with a (1) anonymous DH or (2) anonymous ECDH ciphersuite.


Remediation

Install update from vendor's website.

References