CVE-2013-6449

MEDIUM severity · CVSS 4.3 · CWE-310

4.3CVSS MEDIUM

Summary

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

Impact & exploitability

Attack vectorNetwork

Attack complexity—

Privileges required—

User interaction—

Confidentiality impactNone

Integrity impactNone

Availability impact—

Exploit probability (EPSS)47%

AV:N/AC:M/Au:N/C:N/I:N/A:P

Affected products we track (1)

OpenSSL

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=ca989269a2876bae79393bd54c3e72d49975fc75
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124833.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124858.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00006.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00009.html