The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

security vulnerability CVE-2014-3567

OpenSSL: memory leak via Session Ticket

Synthesis of the vulnerability

An attacker can use a malicious Session Ticket, to create a memory leak in OpenSSL, in order to trigger a denial of service.
Severity of this computer vulnerability: 2/4.
Creation date: 15/10/2014.
Références of this announce: 1691140, 1696383, c04492722, c04616259, CERTFR-2014-AVI-435, CERTFR-2014-AVI-509, CERTFR-2015-AVI-024, CERTFR-2016-AVI-303, CTX216642, CVE-2014-3567, DSA-3053-1, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FreeBSD-SA-14:23.openssl, HPSBHF03300, HPSBUX03162, MDVSA-2014:203, MDVSA-2015:062, NetBSD-SA2014-015, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2015:0126-01, SA87, SB10091, SOL15723, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSRT101767, STORM-2014-003, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, USN-2385-1, VIGILANCE-VUL-15490, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL product implements a SSL/TLS/DTLS client/server.

When the server receives a session ticket, it checks its integrity. However, if this ticket is invalid, the memory allocated for its processing is never freed.

An attacker can therefore use a malicious Session Ticket, to create a memory leak in OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

This computer weakness bulletin impacts software or systems such as StormShield, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, BIG-IP Hardware, TMOS, FreeBSD, hMailServer, ProCurve Switch, HP Switch, HP-UX, AIX, Tivoli Workload Scheduler, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, NetBSD, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Solaris, Puppet, RHEL, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.

Our Vigil@nce team determined that the severity of this computer threat announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this threat announce.

Solutions for this threat

OpenSSL: version 1.0.1j.
The version 1.0.1j is fixed:
  https://www.openssl.org/

OpenSSL: version 1.0.0o.
The version 1.0.0o is fixed:
  https://www.openssl.org/

OpenSSL: version 0.9.8zc.
The version 0.9.8zc is fixed:
  https://www.openssl.org/

stunnel: version 5.06.
The version 5.06 is fixed:
  https://www.stunnel.org/downloads.html
The version 5.07 fixes a regression error.

Arkoon Stormshield: version for CVE-2014-3567.
A fixed version is available.

Blue Coat: solution for OpenSSL.
The solution is indicated in information sources.

Citrix NetScaler: fixed versions for LOM Firmware.
Fixed versions are indicated in information sources.

Citrix NetScaler Platform IPMI LOM: solution.
The solution is indicated in information sources.

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u13

F5 BIG-IP: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

FreeBSD: patch for OpenSSL.
A patch is available in information sources.
  FreeBSD 8.4, 9.1, 9.2: http://security.freebsd.org/patches/SA-14:23/openssl-8.4.patch
  FreeBSD 9.3: http://security.freebsd.org/patches/SA-14:23/openssl-9.3.patch
  FreeBSD 10.0: http://security.freebsd.org/patches/SA-14:23/openssl-10.0.patch

hMailServer: version 5.5.2.
The version 5.5.2 is fixed:
  https://www.hmailserver.com/download_getfile/?downloadid=236

HP Switch: solution for OpenSSL.
The solution is indicated in information sources.

HP-UX: fixed versions of OpenSSL.
Versions OpenSSL are fixed:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I
  HP-UX B.11.11: version A.00.09.08zc.001_HP-UX_B.11.11_32+64.depot
  HP-UX B.11.23: version A.00.09.08zc.002a_HP-UX_B.11.23_IA-PA.depot
  HP-UX B.11.31: version A.00.09.08zc.003_HP-UX_B.11.31_IA-PA.depot

IBM AIX: patch for OpenSSL.
A patch is available. The announce states the applicable patch reference according to the already installed version of OpenSSL.

IBM Tivoli Workload Scheduler: solution for OpenSSL.
The solution is indicated in information sources.

Mandriva BS2: new openssl packages.
New packages are available:
  Mandriva BS2: openssl 1.0.1m-1.mbs2

Mandriva: new openssl packages.
New packages are available:
  Mandriva BS1: openssl 1.0.0o-1.mbs1

McAfee: solution for OpenSSL.
The solution is indicated in information sources.

NetBSD: patch for OpenSSL.
A patch is available in information sources.

OpenBSD: patch for OpenSSL.
A patch is available:
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.4/common/016_openssl.patch
  http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/012_openssl.patch.sig

openSUSE: new libopenssl0_9_8 packages.
New packages are available:
  openSUSE 13.2: libopenssl0_9_8 0.9.8zh-9.3.1
  openSUSE Leap 42.1: libopenssl0_9_8 0.9.8zh-14.1

openSUSE: new openssl packages.
New packages are available:
  openSUSE 12.3: openssl 1.0.1j-1.68.1
  openSUSE 13.1: openssl 1.0.1j-11.56.1
  openSUSE 13.2: openssl 1.0.1j-2.4.1

Puppet Enterprise: version 3.7.0.
The version 3.7.0 is fixed:
  http://puppetlabs.com/

Red Hat Storage Server: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-30.el6_6.2

RHEL 5: new openssl packages.
New packages are available:
  RHEL 5: openssl 0.9.8e-31.el5_11

RHEL 6, 7: new openssl packages.
New packages are available:
  RHEL 6: openssl 1.0.1e-30.el6_6.2
  RHEL 7: openssl 1.0.1e-34.el7_0.6

RHEL 6 RHEV Hypervisor: new rhev-hypervisor6 packages.
New packages are available:
  RHEL 6: rhev-hypervisor6 6.6-20150123.1.el6ev

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8zc-i486-1_slack13.0
  Slackware 13.1: openssl 0.9.8zc-i486-1_slack13.1
  Slackware 13.37: openssl 0.9.8zc-i486-1_slack13.37
  Slackware 14.0: openssl 1.0.1j-i486-1_slack14.0
  Slackware 14.1: openssl 1.0.1j-i486-1_slack14.1

Snare Enterprise Agent: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Solaris 11.2: patch for OpenSSL.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1936662.1

Splunk Enterprise: version 5.0.11.
The version 5.0.11 is fixed:
  http://www.splunk.com/

Splunk Enterprise: version 6.0.7.
The version 6.0.7 is fixed:
  http://www.splunk.com/

Splunk: version 6.1.5.
The version 6.1.5 is fixed:
  http://www.splunk.com/

SUSE LE 11: new openssl 0.9.8 packages.
New packages are available:
  SUSE LE 11: openssl 0.9.8j-0.66.1

SUSE LE 11: new openssl packages.
New packages are available, as indicated in information sources.

Ubuntu: new libss packages.
New packages are available:
  Ubuntu 14.04 LTS: libssl1.0.0 1.0.1f-1ubuntu2.7
  Ubuntu 12.04 LTS: libssl1.0.0 1.0.1-4ubuntu5.20
  Ubuntu 10.04 LTS: libssl0.9.8 0.9.8k-7ubuntu8.22

VMware ESXi 5.0: patch ESXi500-201502001.
A patch is available:
  http://kb.vmware.com/kb/2101910

VMware ESXi 5.1: patch ESXi510-201503001.
A patch is available:
  http://kb.vmware.com/kb/2099286

VMware ESXi 5.5: patch ESXi550-201501001.
A patch is available:
  ESXi550-201501001.zip
  http://kb.vmware.com/kb/2099265

VMware vCenter Server: version 5.5 Update 2d.
The version 5.5 Update 2d is fixed:
  https://www.vmware.com/go/download-vsphere

WinSCP: version 5.5.6.
The version 5.5.6 is fixed:
  http://winscp.net/eng/download.php
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a cybersecurity workaround. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.