CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
99.0%
OpenSSL before 0.9.8zb, 1.0.0n, or 1.0.1i are unpatched for the following vulnerabilities:
A memory double-free error exists related to handling DTLS packets that allows denial of service attacks. (CVE-2014-3505)
An unspecified error exists related to handling DTLS handshake messages that allows denial of service attacks due to large amounts of memory being consumed. (CVE-2014-3506)
A memory leak error exists related to handling specially crafted DTLS packets that allows denial of service attacks. (CVE-2014-3507)
An error exists related to ‘OBJ_obj2txt’ and the pretty printing ‘X509_name_*’ functions which leak stack data, resulting in an information disclosure. (CVE-2014-3508)
A null pointer dereference error exists related to handling anonymous ECDH cipher suites and crafted handshake messages that allow denial of service attacks against clients. (CVE-2014-3510)
Additionally, several vulnerabilities specific to version 1.0.1 prior to 1.0.1i have been disclosed:
Race condition in ssl_parse_serverhello_tlsext that can cause information disclosure in applications utilizing the OpenSSL library (CVE-2014-3509)
An SRP buffer overrun was found that can be triggered by sending invalid SRP parameters (CVE-2014-3512)
A flaw in the OpenSSL SSL/TLS server code can cause the server to negotiate TLS 1.0, even when higher protocol versions are supported, when the ClientHello message is badly fragmented (CVE-2014-3511)
Binary data 8354.prm
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3505
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3506
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3507
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3508
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3509
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3510
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3511
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5139
www.openssl.org/news/secadv_20140806.txt