The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability note CVE-2014-6593 CVE-2015-0205

JSSE, CyaSSL, Mono, OpenSSL: clear text session via SKIP-TLS

Synthesis of the vulnerability

An attacker, who has a TLS server, can force the JSSE, CyaSSL, Mono or OpenSSL client/server to use a clear text session, in order to allow a third party to capture or alter exchanged data.
Severity of this computer vulnerability: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 04/03/2015.
Revision date: 09/03/2015.
Références of this announce: 1699051, 1700706, 1701485, 9010028, ARUBA-PSA-2015-003, bulletinjan2015, c04517481, c04556853, c04580241, c04583581, CERTFR-2015-AVI-108, CERTFR-2015-AVI-146, CERTFR-2016-AVI-303, cisco-sa-20150310-ssl, cpujan2015, cpuoct2017, CTX216642, CVE-2014-6593, CVE-2015-0205, DSA-3125-1, DSA-3144-1, DSA-3147-1, FEDORA-2015-0512, FEDORA-2015-0601, FEDORA-2015-0983, FEDORA-2015-1075, FEDORA-2015-1150, FEDORA-2015-8251, FEDORA-2015-8264, FreeBSD-SA-15:01.openssl, HPSBUX03219, HPSBUX03244, HPSBUX03273, HPSBUX03281, JSA10679, MDVSA-2015:019, MDVSA-2015:033, MDVSA-2015:062, NetBSD-SA2015-006, NTAP-20150205-0001, openSUSE-SU-2015:0130-1, openSUSE-SU-2015:0190-1, openSUSE-SU-2015:1277-1, RHSA-2015:0066-01, RHSA-2015:0067-01, RHSA-2015:0068-01, RHSA-2015:0069-01, RHSA-2015:0079-01, RHSA-2015:0080-01, RHSA-2015:0085-01, RHSA-2015:0086-01, RHSA-2015:0133-01, RHSA-2015:0134-01, RHSA-2015:0135-01, RHSA-2015:0136-01, RHSA-2015:0263-01, RHSA-2015:0264-01, SA40015, SA88, SB10104, SB10108, SKIP-TLS, SOL16120, SOL16123, SOL16124, SOL16126, SOL16135, SOL16136, SOL16139, SPL-95203, SSA:2015-009-01, SSRT101859, SSRT101885, SSRT101951, SSRT101968, SUSE-SU-2015:0336-1, SUSE-SU-2015:0503-1, USN-2459-1, USN-2486-1, USN-2487-1, VIGILANCE-VUL-16300, VMSA-2015-0003, VMSA-2015-0003.1, VMSA-2015-0003.10, VMSA-2015-0003.11, VMSA-2015-0003.12, VMSA-2015-0003.13, VMSA-2015-0003.14, VMSA-2015-0003.15, VMSA-2015-0003.2, VMSA-2015-0003.3, VMSA-2015-0003.4, VMSA-2015-0003.5, VMSA-2015-0003.6, VMSA-2015-0003.8, VMSA-2015-0003.9.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The TLS protocol uses a series of messages which have to be exchanged between the client and the server, before establishing a secured session.

However, clients such as JSSE or CyaSSL accept if the server directly skips to the final state (CVE-2014-6593, first analyzed in VIGILANCE-VUL-16014). Moreover, servers such as Mono or OpenSSL accept if the client directly skips to the final state (CVE-2015-0205, first analyzed in VIGILANCE-VUL-15934).The established session thus uses no encryption.

An attacker, who has a TLS server, can therefore force the JSSE, CyaSSL, Mono or OpenSSL client/server to use a clear text session, in order to allow a third party to capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)

This cybersecurity vulnerability impacts software or systems such as ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ATA, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco ESA, IOS by Cisco, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Cisco IP Phone, Cisco MeetingPlace, Cisco WSA, Clearswift Email Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, IRAD, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, McAfee Email Gateway, ePO, McAfee Web Gateway, Windows (platform) ~ not comprehensive, Data ONTAP 7-Mode, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, Java OpenJDK, OpenSSL, openSUSE, Oracle Communications, Java Oracle, JavaFX, Solaris, pfSense, Puppet, RHEL, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

This bulletin is about 2 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this weakness alert.

Solutions for this threat

CyaSSL: version 3.3.0.
The version 3.3.0 is fixed:
  http://yassl.com/yaSSL/download/downloadForm.php

Mono: version 3.12.1.
The version 3.12.1 is fixed:
  http://www.mono-project.com/download/

OpenSSL: version 1.0.1k.
The version 1.0.1k is fixed:
  https://www.openssl.org/source/

OpenSSL: version 1.0.0p.
The version 1.0.0p is fixed:
  https://www.openssl.org/source/

OpenSSL: version 0.9.8zd.
The version 0.9.8zd is fixed:
  https://www.openssl.org/source/

Oracle Java: version 8u31.
The version 8u31 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java: version 7u75.
The version 7u75 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java: version 6u91.
The version 6u91 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Oracle Java: version 5.0u81.
The version 5.0u81 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

AIX: patch for OpenSSL.
A patch is available:
  ftp://aix.software.ibm.com/aix/efixes/security/openssl_fix12.tar

AIX: solution for Java.
The solution is indicated in information sources.

ArubaOS: solution for OpenSSL.
The solution is indicated in information sources.

Blue Coat: solution for OpenSSL.
The solution is indicated in information sources.

Brocade: solution for OpenSSL (30/03/2015).
The solution is indicated in information sources.

Cisco: solution for OpenSSL.
The solution is indicated in information sources.

Citrix NetScaler: fixed versions for LOM Firmware.
Fixed versions are indicated in information sources.

Citrix NetScaler Platform IPMI LOM: solution.
The solution is indicated in information sources.

Clearswift SECURE Email Gateway: version 3.8.5.
The version 3.8.5 is fixed:
  http://app-patches.clearswift.net/Patches/Patch3_8_5.htm

Debian: new openjdk-6 packages.
New packages are available:
  Debian 7: openjdk-6 6b34-1.13.6-1~deb7u1

Debian: new openjdk-7 packages.
New packages are available:
  Debian 7: openjdk-7 7u75-2.5.4-1~deb7u1

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u14

F5 BIG-IP: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Fedora 20: new java-1.7.0-openjdk packages.
New packages are available:
  Fedora 20: java-1.7.0-openjdk 1.7.0.75-2.5.4.2.fc20

Fedora: new java-1.8.0-openjdk packages.
New packages are available:
  Fedora 20: java-1.8.0-openjdk 1.8.0.45-38.b14.fc20
  Fedora 21: java-1.8.0-openjdk 1.8.0.45-38.b14.fc21

Fedora: new openssl packages.
New packages are available:
  Fedora 20: openssl 1.0.1e-41.fc20
  Fedora 21: openssl 1.0.1k-1.fc21

FreeBSD: patch for OpenSSL.
A patch is available:
  https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
  https://security.FreeBSD.org/patches/SA-15:01/openssl-10.0.patch
  https://security.FreeBSD.org/patches/SA-15:01/openssl-10.1.patch

HP-UX: Java versions 6.0.25, 7.0.11 and 8.0.01.
Java versions 6.0.25, 7.0.11 and 8.0.01 are fixed:
   http://www.hp.com/java

HP-UX: OpenSSL version A.00.09.08zf.
The version OpenSSL A.00.09.08zf is fixed:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I

IBM Rational Application Developer: solution for IBM Java SDK.
The solution is indicated in information sources.

Juniper: fixed versions for OpenSSL-08/01/2015.
Fixed versions are indicated in information sources.

Mandriva BS2: new openssl packages.
New packages are available:
  Mandriva BS2: openssl 1.0.1m-1.mbs2

Mandriva: new java-1.7.0-openjdk packages.
New packages are available:
  Mandriva BS1: java-1.7.0-openjdk 1.7.0.65-2.5.4.1.mbs1

Mandriva: new openssl packages.
New packages are available:
  Mandriva BS1: openssl 1.0.0p-1.mbs1

McAfee ePO: solution for Oracle JRE.
The solution is indicated in information sources.

McAfee: solution for OpenSSL FREAK.
The solution is indicated in information sources.

NetApp: solution for OpenSSL 01/2015.
The solution is indicated in information sources.

NetBSD: patch for OpenSSL (20/03/2015).
A patch is available in information sources.

Node.js: version 0.10.36.
The version 0.10.36 is fixed:
  http://nodejs.org/download/

openSUSE 13.2: new java-1_7_0-openjdk packages.
New packages are available:
  openSUSE 13.2: java-1_7_0-openjdk 1.7.0.75-4.1

openSUSE 13.2: new libressl packages.
New packages are available:
  openSUSE 13.2: libressl 2.2.1-2.3.1

openSUSE: new openssl packages.
New packages are available:
  openSUSE 13.1: openssl 1.0.1k-11.64.2
  openSUSE 13.2: openssl 1.0.1k-2.16.2

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

pfSense: version 2.2.
The version 2.2 is fixed:
  https://www.pfsense.org/

Puppet Enterprise: version 3.7.2.
The version 3.7.2 is fixed:
  http://puppetlabs.com/

Red Hat Satellite 5: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.3-1jpp.1.el5
  RHEL 6: java-1.6.0-ibm 1.6.0.16.3-1jpp.1.el6

RHEL 5, 6: new java-1.5.0-ibm packages.
New packages are available:
  RHEL 5: java-1.5.0-ibm 1.5.0.16.9-1jpp.1.el5
  RHEL 6: java-1.5.0-ibm 1.5.0.16.9-1jpp.1.el6_6

RHEL 5, 6: new java-1.6.0-ibm packages.
New packages are available:
  RHEL 5: java-1.6.0-ibm 1.6.0.16.3-1jpp.1.el5

RHEL 5: new java-1.7.0-ibm packages.
New packages are available:
  RHEL 5: java-1.7.0-ibm 1.7.0.8.10-1jpp.4.el5

RHEL 6, 7: new java-1.7.1-ibm packages.
New packages are available:
  RHEL 6: java-1.7.1-ibm 1.7.1.2.10-1jpp.3.el6_6
  RHEL 7: java-1.7.1-ibm 1.7.1.2.10-1jpp.3.el7_0

RHEL 6, 7: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-30.el6_6.5
  RHEL 7: openssl 1.0.1e-34.el7_0.7

RHEL 6: new java-1.8.0-openjdk packages.
New packages are available:
  RHEL 6: java-1.8.0-openjdk 1.8.0.31-1.b13.el6_6

RHEL 6: new java-1.8.0-oracle packages.
New packages are available:
  RHEL 6: java-1.8.0-oracle 1.8.0.31-1jpp.1.el6

RHEL: new java-1.6.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.6.0-openjdk 1.6.0.34-1.13.6.1.el5_11
  RHEL 6: java-1.6.0-openjdk 1.6.0.34-1.13.6.1.el6_6
  RHEL 7: java-1.6.0-openjdk 1.6.0.34-1.13.6.1.el7_0

RHEL: new java-1.6.0-sun packages.
New packages are available:
  RHEL 5: java-1.6.0-sun 1.6.0.91-1jpp.1.el5_11
  RHEL 6: java-1.6.0-sun 1.6.0.91-1jpp.1.el6
  RHEL 7: java-1.6.0-sun 1.6.0.91-1jpp.1.el7

RHEL: new java-1.7.0-openjdk packages.
New packages are available:
  RHEL 5: java-1.7.0-openjdk 1.7.0.75-2.5.4.0.el5_11
  RHEL 6: java-1.7.0-openjdk 1.7.0.75-2.5.4.0.el6_6
  RHEL 7: java-1.7.0-openjdk 1.7.0.75-2.5.4.2.el7_0

RHEL: new java-1.7.0-oracle packages.
New packages are available:
  RHEL 5: java-1.7.0-oracle 1.7.0.75-1jpp.1.el5_11
  RHEL 6: java-1.7.0-oracle 1.7.0.75-1jpp.1.el6
  RHEL 7: java-1.7.0-oracle 1.7.0.75-1jpp.2.el7

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8zd-*-1_slack13.0
  Slackware 13.1: openssl 0.9.8zd-*-1_slack13.1
  Slackware 13.37: openssl 0.9.8zd-*-1_slack13.37
  Slackware 14.0: openssl 1.0.1k-*-1_slack14.0
  Slackware 14.1: openssl 1.0.1k-*-1_slack14.1

Snare Enterprise Agent for Windows: version 4.2.9.
The version 4.2.9 is fixed:
  https://snaresupport.intersectalliance.com/

Solaris: patch for Third Party.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Splunk Enterprise: version 6.2.2.
The version 6.2.2 is fixed:
  http://www.splunk.com/

stunnel: version 5.10.
The version 5.10 is fixed:
  https://www.stunnel.org/downloads.html

SUSE LE: new java-1_7_0-openjdk packages.
New packages are available:
  SUSE LE 11: java-1_7_0-openjdk 1.7.0.75-0.7.1
  SUSE LE 12: java-1_7_0-openjdk 1.7.0.75-11.3

Tivoli Workload Scheduler: solution for OpenSSL and Java.
The solution is indicated in information sources.

Ubuntu: new libssl packages.
New packages are available:
  Ubuntu 14.10: libssl1.0.0 1.0.1f-1ubuntu9.1
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.8
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.21
  Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.23

Ubuntu: new openjdk-6-jre packages.
New packages are available:
  Ubuntu 12.04 LTS: openjdk-6-jre 6b34-1.13.6-1ubuntu0.12.04.1
  Ubuntu 10.04 LTS: openjdk-6-jre 6b34-1.13.6-1ubuntu0.10.04.1

Ubuntu: new openjdk-7-jre packages.
New packages are available:
  Ubuntu 14.10: openjdk-7-jre 7u75-2.5.4-1~utopic1
  Ubuntu 14.04 LTS: openjdk-7-jre 7u75-2.5.4-1~trusty1

VMware: solution for Java.
The solution is indicated in information sources.

WebSphere MQ: solution.
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides software vulnerabilities analysis. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.