CVE-2014-3509

EUVD-2014-3510
Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.
Race Condition
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.8 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 93%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
1.0.0
opensslopenssl
1.0.0:beta1
opensslopenssl
1.0.0:beta2
opensslopenssl
1.0.0:beta3
opensslopenssl
1.0.0:beta4
opensslopenssl
1.0.0:beta5
opensslopenssl
1.0.0a:a
opensslopenssl
1.0.0b:b
opensslopenssl
1.0.0c:c
opensslopenssl
1.0.0d:d
opensslopenssl
1.0.0e:e
opensslopenssl
1.0.0f:f
opensslopenssl
1.0.0g:g
opensslopenssl
1.0.0h:h
opensslopenssl
1.0.0i:i
opensslopenssl
1.0.0j:j
opensslopenssl
1.0.0k:k
opensslopenssl
1.0.0l:l
opensslopenssl
1.0.0m:m
opensslopenssl
1.0.1
opensslopenssl
1.0.1:beta1
opensslopenssl
1.0.1:beta2
opensslopenssl
1.0.1:beta3
opensslopenssl
1.0.1a:a
opensslopenssl
1.0.1b:b
opensslopenssl
1.0.1c:c
opensslopenssl
1.0.1d:d
opensslopenssl
1.0.1e:e
opensslopenssl
1.0.1f:f
opensslopenssl
1.0.1g:g
opensslopenssl
1.0.1h:h
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
sid
3.3.2-2
fixed
squeeze
not-affected
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
lucid
not-affected
precise
Fixed 1.0.1-4ubuntu5.17
released
trusty
Fixed 1.0.1f-1ubuntu2.5
released
openssl098
lucid
dne
precise
not-affected
trusty
dne
Common Weakness Enumeration
References
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc
http://linux.oracle.com/errata/ELSA-2014-1052.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
http://lists.opensuse.org/opensuse-updates/2014-08/msg00036.html
http://marc.info/?l=bugtraq&m=142350350616251&w=2
http://marc.info/?l=bugtraq&m=142495837901899&w=2
http://marc.info/?l=bugtraq&m=142624590206005&w=2
http://marc.info/?l=bugtraq&m=142660345230545&w=2
http://marc.info/?l=bugtraq&m=142791032306609&w=2
http://marc.info/?l=bugtraq&m=143290437727362&w=2
http://marc.info/?l=bugtraq&m=143290522027658&w=2
http://rhn.redhat.com/errata/RHSA-2015-0197.html
http://secunia.com/advisories/58962
http://secunia.com/advisories/59700
http://secunia.com/advisories/59710
http://secunia.com/advisories/59756
http://secunia.com/advisories/60022
http://secunia.com/advisories/60221
http://secunia.com/advisories/60493
http://secunia.com/advisories/60684
http://secunia.com/advisories/60803
http://secunia.com/advisories/60917
http://secunia.com/advisories/60921
http://secunia.com/advisories/60938
http://secunia.com/advisories/61017
http://secunia.com/advisories/61100
http://secunia.com/advisories/61139
http://secunia.com/advisories/61184
http://secunia.com/advisories/61775
http://secunia.com/advisories/61959
http://security.gentoo.org/glsa/glsa-201412-39.xml
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020240
http://www-01.ibm.com/support/docview.wss?uid=swg21682293
http://www-01.ibm.com/support/docview.wss?uid=swg21683389
http://www-01.ibm.com/support/docview.wss?uid=swg21686997
http://www.debian.org/security/2014/dsa-2998
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm
http://www.mandriva.com/security/advisories?name=MDVSA-2014:158
http://www.securityfocus.com/bid/69084
http://www.securitytracker.com/id/1030693
https://bugzilla.redhat.com/show_bug.cgi?id=1127498
https://exchange.xforce.ibmcloud.com/vulnerabilities/95159
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=fb0bc2b273bcc2d5401dd883fe869af4fc74bb21
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-September/000196.html
https://support.citrix.com/article/CTX216642
https://techzone.ergon.ch/CVE-2014-3511
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:18.openssl.asc
https://www.openssl.org/news/secadv_20140806.txt
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc
http://linux.oracle.com/errata/ELSA-2014-1052.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
http://lists.opensuse.org/opensuse-updates/2014-08/msg00036.html
http://marc.info/?l=bugtraq&m=142350350616251&w=2
http://marc.info/?l=bugtraq&m=142495837901899&w=2
http://marc.info/?l=bugtraq&m=142624590206005&w=2
http://marc.info/?l=bugtraq&m=142660345230545&w=2
http://marc.info/?l=bugtraq&m=142791032306609&w=2
http://marc.info/?l=bugtraq&m=143290437727362&w=2
http://marc.info/?l=bugtraq&m=143290522027658&w=2
http://rhn.redhat.com/errata/RHSA-2015-0197.html
http://secunia.com/advisories/58962
http://secunia.com/advisories/59700
http://secunia.com/advisories/59710
http://secunia.com/advisories/59756
http://secunia.com/advisories/60022
http://secunia.com/advisories/60221
http://secunia.com/advisories/60493
http://secunia.com/advisories/60684
http://secunia.com/advisories/60803
http://secunia.com/advisories/60917
http://secunia.com/advisories/60921
http://secunia.com/advisories/60938
http://secunia.com/advisories/61017
http://secunia.com/advisories/61100
http://secunia.com/advisories/61139
http://secunia.com/advisories/61184
http://secunia.com/advisories/61775
http://secunia.com/advisories/61959
http://security.gentoo.org/glsa/glsa-201412-39.xml
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020240
http://www-01.ibm.com/support/docview.wss?uid=swg21682293
http://www-01.ibm.com/support/docview.wss?uid=swg21683389
http://www-01.ibm.com/support/docview.wss?uid=swg21686997
http://www.debian.org/security/2014/dsa-2998
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm
http://www.mandriva.com/security/advisories?name=MDVSA-2014:158
http://www.securityfocus.com/bid/69084
http://www.securitytracker.com/id/1030693
https://bugzilla.redhat.com/show_bug.cgi?id=1127498
https://exchange.xforce.ibmcloud.com/vulnerabilities/95159
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=fb0bc2b273bcc2d5401dd883fe869af4fc74bb21
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-September/000196.html
https://support.citrix.com/article/CTX216642
https://techzone.ergon.ch/CVE-2014-3511
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:18.openssl.asc
https://www.openssl.org/news/secadv_20140806.txt