CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
99.3%
OpenSSL before 0.9.8zd, 1.0.0p, or 1.0.1k are unpatched for the following vulnerabilities:
A DTLS segmentation fault due to a null pointer dereference, which can lead to a denial of service attack (CVE-2014-3571)
A memory leak when handling repeated DTLS records with the same sequence number but the next epoch, which can result in denial of service (CVE-2015-0206)
A null pointer dereference when handling SSL v3 ClientHelloes can result in denial of service when openssl is built with the no-ssl3 option (CVE-2014-3569)
ECDHE silently downgrades to ECDH ciphersuite when the server key exchange message is omitted; this removes forward secrecy from the ciphersuite (CVE-2014-3572)
A server could present a weak temporary RSA key to silently downgrade the session’s security from a non-export RSA key exchange ciphersuite (CVE-2015-0204)
For openssl servers that trust client certificate authorities that issue certificates containing DH keys, a bug exists wherein client certificates are accepted without verification (CVE-2015-0205)
OpenSSL does not enforce a match between the signed and unsigned portions of the certificate for several non-DER variants of certificate signature algorithms and signature encodings; while this does not affect OpenSSL servers and clients, custom applications relying on the uniqueness of the fingerprint may be affected (CVE-2014-8275)
Bignum squaring may produce incorrect results at random on some platforms, including x86_64, although the impact of this is unknown, and its occurrence is rare (CVE-2014-3570)
Binary data 8617.prm
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3569
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3570
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3572
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8275
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0205
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0206
www.openssl.org/news/secadv_20150108.txt