Security vulnerabilities in OpenSSL (CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470) – Leaseweb Knowledge Base

Source: https://www.openssl.org/news/secadv_20140605.txt

Description
(CVE-2014-0224)

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client AND server.

What versions of OpenSSL are affected?

OpenSSL clients are vulnerable in ALL versions of OpenSSL.
Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.

How to fix:

Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

You can use this article as a reference to check the version of your openssl and perform the upgrade.

Debian: https://security-tracker.debian.org/tracker/CVE-2014-0224

Ubuntu: http://www.ubuntu.com/usn/usn-2232-1/

Redhat:
https://rhn.redhat.com/errata/RHSA-2014-0625.html
https://access.redhat.com/site/articles/904433

Additional resources:

Description(CVE-2014-0224)

What versions of OpenSSL are affected?

How to fix:

0 Comments

Description
(CVE-2014-0224)