CVE-2014-8176

The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h frees data structures without considering that application data can arrive between a ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unexpected application data.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
opensslopenssl
𝑥
≤ 0.9.8z
opensslopenssl
1.0.0
opensslopenssl
1.0.0:beta1
opensslopenssl
1.0.0:beta2
opensslopenssl
1.0.0:beta3
opensslopenssl
1.0.0:beta4
opensslopenssl
1.0.0:beta5
opensslopenssl
1.0.0a:a
opensslopenssl
1.0.0b:b
opensslopenssl
1.0.0c:c
opensslopenssl
1.0.0d:d
opensslopenssl
1.0.0e:e
opensslopenssl
1.0.0f:f
opensslopenssl
1.0.0g:g
opensslopenssl
1.0.0h:h
opensslopenssl
1.0.0i:i
opensslopenssl
1.0.0j:j
opensslopenssl
1.0.0k:k
opensslopenssl
1.0.0l:l
opensslopenssl
1.0.1
opensslopenssl
1.0.1:beta1
opensslopenssl
1.0.1:beta2
opensslopenssl
1.0.1:beta3
opensslopenssl
1.0.1a:a
opensslopenssl
1.0.1b:b
opensslopenssl
1.0.1c:c
opensslopenssl
1.0.1d:d
opensslopenssl
1.0.1e:e
opensslopenssl
1.0.1f:f
opensslopenssl
1.0.1g:g
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
sid
3.3.2-2
fixed
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
not-affected
vivid
Fixed 1.0.1f-1ubuntu11.4
released
utopic
Fixed 1.0.1f-1ubuntu9.8
released
trusty
Fixed 1.0.1f-1ubuntu2.15
released
precise
Fixed 1.0.1-4ubuntu5.31
released
openssl098
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
dne
wily
dne
vivid
ignored
utopic
ignored
trusty
dne
precise
ignored
Common Weakness Enumeration
References
http://fortiguard.com/advisory/openssl-vulnerabilities-june-2015
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html
http://rhn.redhat.com/errata/RHSA-2015-1115.html
http://rhn.redhat.com/errata/RHSA-2016-2957.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl
http://www.debian.org/security/2015/dsa-3287
http://www.fortiguard.com/advisory/openssl-vulnerabilities-june-2015
http://www.securityfocus.com/bid/75159
http://www.securitytracker.com/id/1032564
http://www.ubuntu.com/usn/USN-2639-1
https://bto.bluecoat.com/security-advisory/sa98
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://github.com/openssl/openssl/commit/470990fee0182566d439ef7e82d1abf18b7085d7
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05184351
https://kc.mcafee.com/corporate/index?page=content&id=SB10122
https://openssl.org/news/secadv/20150611.txt
https://rt.openssl.org/Ticket/Display.html?id=3286&user=guest&pass=guest
https://security.gentoo.org/glsa/201506-02
https://www.openssl.org/news/secadv_20150611.txt
http://fortiguard.com/advisory/openssl-vulnerabilities-june-2015
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2015-008.txt.asc
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html
http://rhn.redhat.com/errata/RHSA-2015-1115.html
http://rhn.redhat.com/errata/RHSA-2016-2957.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150612-openssl
http://www.debian.org/security/2015/dsa-3287
http://www.fortiguard.com/advisory/openssl-vulnerabilities-june-2015
http://www.securityfocus.com/bid/75159
http://www.securitytracker.com/id/1032564
http://www.ubuntu.com/usn/USN-2639-1
https://bto.bluecoat.com/security-advisory/sa98
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://github.com/openssl/openssl/commit/470990fee0182566d439ef7e82d1abf18b7085d7
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05184351
https://kc.mcafee.com/corporate/index?page=content&id=SB10122
https://openssl.org/news/secadv/20150611.txt
https://rt.openssl.org/Ticket/Display.html?id=3286&user=guest&pass=guest
https://security.gentoo.org/glsa/201506-02
https://www.openssl.org/news/secadv_20150611.txt