Guest

Preview Tool

Cisco Bug: CSCus42785 - JANUARY 2015 OpenSSL Vulnerabilities

Last Modified

Mar 09, 2018

Products (5)

  • Cisco Unified Contact Center Express
  • Cisco Unified Contact Center Express 11.0(1)
  • Cisco Unified IP Interactive Voice Response (IVR) 11.0(1)
  • Cisco Unified IP Interactive Voice Response (IVR) 10.5(1)
  • Cisco Unified Contact Center Express 10.5(1)

Known Affected Releases

10.0(1) 10.5(1) 10.6(1)

Description (partial)

Symptom:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:

CVE-2015-0291, CVE-2015-0204, CVE-2015-0290, CVE-2015-0207, CVE-2015-0286, CVE-2015-0208, CVE-2015-0287, CVE-2015-0289, CVE-2015-0292, CVE-2015-0293, CVE-2015-1787, CVE-2015-0285, CVE-2015-0288 

This bug has been opened to address the potential impact on this product.

Conditions:
A NULL pointer dereference flaw exists in the DTLS implementation of
OpenSSL. A remote attacker could send a specially crafted DTLS message,
causing an OpenSSL server to crash. (CVE-2014-3571)

A memory leak was found in the way the dtls1_buffer_record() function
of OpenSSL parsed certain DTLS messages. A remote attacker could send
multiple specially crafted DTLS messages to exhaust all available memory of
a DTLS server. (CVE-2015-0206)

OpenSSL's BigNumber Squaring implementation could produce
incorrect results under certain special conditions. This flaw could
possibly affect certain OpenSSL library functionality, such as RSA
blinding. Note that this issue occurred rarely and with a low probability,
and there is currently no known way of exploiting it. (CVE-2014-3570)

OpenSSL would perform an ECDH key exchange with a
non-ephemeral key even when the ephemeral ECDH cipher suite was selected.
A malicious server could make a TLS/SSL client using OpenSSL use a weaker
key exchange method than the one requested by the user. (CVE-2014-3572)

OpenSSL would accept ephemeral RSA keys when using
non-export RSA cipher suites. A malicious server could make a TLS/SSL
client using OpenSSL use a weaker key exchange method. (CVE-2015-0204)

Multiple flaws exist in the way OpenSSL parses X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a
certificate with a different fingerprint without invalidating its
signature. (CVE-2014-8275)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.