The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability alert CVE-2014-3568

OpenSSL: option no-ssl3 useless

Synthesis of the vulnerability

An attacker can still use SSLv3, even if OpenSSL was compiled with no-ssl3.
Impacted systems: ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, FreeBSD, hMailServer, ProCurve Switch, HP Switch, HP-UX, Tivoli Workload Scheduler, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, NetBSD, OpenSSL, openSUSE, openSUSE Leap, Solaris, Puppet, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.
Severity of this alert: 1/4.
Consequences of an intrusion: data flow.
Pirate's origin: internet client.
Creation date: 15/10/2014.
Références of this alert: 1691140, 1696383, c04492722, c04616259, CERTFR-2014-AVI-435, CERTFR-2014-AVI-509, CERTFR-2015-AVI-024, CERTFR-2016-AVI-303, CTX216642, CVE-2014-3568, DSA-3053-1, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FreeBSD-SA-14:23.openssl, HPSBHF03300, HPSBUX03162, NetBSD-SA2014-015, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, SA87, SB10091, SSA:2014-288-01, SSRT101767, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, VIGILANCE-VUL-15491, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2.

Description of the vulnerability

The OpenSSL library can be compiled with the no-ssl3 option, in order to disable SSLv3.

However, this option does not work.

An attacker can therefore still use SSLv3, even if OpenSSL was compiled with no-ssl3.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a networks vulnerabilities note. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The technology watch team tracks security threats targeting the computer system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.