4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
7.2 High
AI Score
Confidence
High
0.9 High
EPSS
Percentile
98.8%
The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.
git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=ca989269a2876bae79393bd54c3e72d49975fc75
lists.fedoraproject.org/pipermail/package-announce/2013-December/124833.html
lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.html
lists.fedoraproject.org/pipermail/package-announce/2013-December/124858.html
lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
lists.opensuse.org/opensuse-updates/2014-01/msg00006.html
lists.opensuse.org/opensuse-updates/2014-01/msg00009.html
lists.opensuse.org/opensuse-updates/2014-01/msg00012.html
lists.opensuse.org/opensuse-updates/2014-01/msg00031.html
rhn.redhat.com/errata/RHSA-2014-0015.html
rhn.redhat.com/errata/RHSA-2014-0041.html
rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
seclists.org/fulldisclosure/2014/Dec/23
security.gentoo.org/glsa/glsa-201412-39.xml
www-01.ibm.com/support/docview.wss?uid=isg400001841
www-01.ibm.com/support/docview.wss?uid=isg400001843
www.debian.org/security/2014/dsa-2833
www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
www.securityfocus.com/archive/1/534161/100/0/threaded
www.securityfocus.com/bid/64530
www.securitytracker.com/id/1029548
www.ubuntu.com/usn/USN-2079-1
www.vmware.com/security/advisories/VMSA-2014-0012.html
bugzilla.redhat.com/show_bug.cgi?id=1045363
issues.apache.org/jira/browse/TS-2355