CVE-2014-0221

MEDIUM severity · CVSS 4.3

4.3CVSS MEDIUM

Summary

The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.

Impact & exploitability

Attack vectorNetwork

Attack complexity—

Privileges required—

User interaction—

Confidentiality impactNone

Integrity impactNone

Availability impact—

Exploit probability (EPSS)82%

AV:N/AC:M/Au:N/C:N/I:N/A:P

Affected products we track (4)

MariaDB OpenSSL Red Hat Enterprise Linux SUSE Linux Enterprise

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory9.ascAdvisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10629Advisory
http://linux.oracle.com/errata/ELSA-2014-1053.htmlAdvisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.htmlAdvisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00016.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlAdvisory
http://marc.info/?l=bugtraq&m=140266410314613&w=2Advisory