Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project.
C****VE-ID:CVE-2014-0224
**DESCRIPTION:**OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93586>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93586>) for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVE-ID:CVE-2014-0195
**DESCRIPTION:**OpenSSL is vulnerable to a buffer overflow. By sending invalid DTLS packet fragments, a remote attacker could exploit this vulnerability to overrun the client or server and execute arbitrary code on a DTLS client or server.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93588> for the current score
CVSS Environmental Score*: UndefinedCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
This vulnerability is known to affect the following offerings:
The vulnerability does NOT affect any version or release of the following:
IBM Java JSSE does not use OpenSSL.
The IBM MessageSight Server firmware has been updated to use a newer version of OpenSSL, which contains a fix for the reported OpenSSL vulnerabilities.
Product | VRMF | Remediation/First Fix |
---|---|---|
IBM MessageSight | 1.x.x.x | 1.1.0.1 |
A firmware update can be downloaded from: IBM Support: Fix Central |
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm messagesight | eq | 1.0 | |
ibm messagesight | eq | 1.1 |