Guest

Preview Tool

Cisco Bug: CSCus42908 - JANUARY 2015 OpenSSL Vulnerabilities

Last Modified

May 10, 2017

Products (1)

  • Cisco Unified Intelligence Center

Known Affected Releases

10.0(5)

Description (partial)

Symptom:
This product includes a version of OpenSSL that is affected by the vulnerability identified by the Common Vulnerability and Exposures (CVE) IDs:
 
 CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206
 
 This bug has been opened to address the potential impact on this product.

Conditions:
A NULL pointer dereference flaw exists in the DTLS implementation of
 OpenSSL. A remote attacker could send a specially crafted DTLS message,
 causing an OpenSSL server to crash. (CVE-2014-3571)
 
 A memory leak was found in the way the dtls1_buffer_record() function
 of OpenSSL parsed certain DTLS messages. A remote attacker could send
 multiple specially crafted DTLS messages to exhaust all available memory of
 a DTLS server. (CVE-2015-0206)
 
 OpenSSL's BigNumber Squaring implementation could produce
 incorrect results under certain special conditions. This flaw could
 possibly affect certain OpenSSL library functionality, such as RSA
 blinding. Note that this issue occurred rarely and with a low probability,
 and there is currently no known way of exploiting it. (CVE-2014-3570)
 
 OpenSSL would perform an ECDH key exchange with a
 non-ephemeral key even when the ephemeral ECDH cipher suite was selected.
 A malicious server could make a TLS/SSL client using OpenSSL use a weaker
 key exchange method than the one requested by the user. (CVE-2014-3572)
 
 OpenSSL would accept ephemeral RSA keys when using
 non-export RSA cipher suites. A malicious server could make a TLS/SSL
 client using OpenSSL use a weaker key exchange method. (CVE-2015-0204)
 
 Multiple flaws exist in the way OpenSSL parses X.509 certificates. An attacker could use these flaws to modify an X.509 certificate to produce a
 certificate with a different fingerprint without invalidating its
 signature. (CVE-2014-8275)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.