The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability alert CVE-2014-3568

OpenSSL: option no-ssl3 useless

Synthesis of the vulnerability

An attacker can still use SSLv3, even if OpenSSL was compiled with no-ssl3.
Severity of this alert: 1/4.
Creation date: 15/10/2014.
Références of this alert: 1691140, 1696383, c04492722, c04616259, CERTFR-2014-AVI-435, CERTFR-2014-AVI-509, CERTFR-2015-AVI-024, CERTFR-2016-AVI-303, CTX216642, CVE-2014-3568, DSA-3053-1, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FreeBSD-SA-14:23.openssl, HPSBHF03300, HPSBUX03162, NetBSD-SA2014-015, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, SA87, SB10091, SSA:2014-288-01, SSRT101767, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, VIGILANCE-VUL-15491, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The OpenSSL library can be compiled with the no-ssl3 option, in order to disable SSLv3.

However, this option does not work.

An attacker can therefore still use SSLv3, even if OpenSSL was compiled with no-ssl3.
Full Vigil@nce bulletin... (Free trial)

This computer weakness alert impacts software or systems such as ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, FreeBSD, hMailServer, ProCurve Switch, HP Switch, HP-UX, Tivoli Workload Scheduler, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, NetBSD, OpenSSL, openSUSE, openSUSE Leap, Solaris, Puppet, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WinSCP.

Our Vigil@nce team determined that the severity of this weakness note is low.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this weakness bulletin.

Solutions for this threat

OpenSSL: version 1.0.1j.
The version 1.0.1j is fixed:
  https://www.openssl.org/

OpenSSL: version 1.0.0o.
The version 1.0.0o is fixed:
  https://www.openssl.org/

OpenSSL: version 0.9.8zc.
The version 0.9.8zc is fixed:
  https://www.openssl.org/

stunnel: version 5.06.
The version 5.06 is fixed:
  https://www.stunnel.org/downloads.html
The version 5.07 fixes a regression error.

Blue Coat: solution for OpenSSL.
The solution is indicated in information sources.

Citrix NetScaler: fixed versions for LOM Firmware.
Fixed versions are indicated in information sources.

Citrix NetScaler Platform IPMI LOM: solution.
The solution is indicated in information sources.

Debian: new openssl packages.
New packages are available:
  Debian 7: openssl 1.0.1e-2+deb7u13

FreeBSD: patch for OpenSSL.
A patch is available in information sources.
  FreeBSD 8.4, 9.1, 9.2: http://security.freebsd.org/patches/SA-14:23/openssl-8.4.patch
  FreeBSD 9.3: http://security.freebsd.org/patches/SA-14:23/openssl-9.3.patch
  FreeBSD 10.0: http://security.freebsd.org/patches/SA-14:23/openssl-10.0.patch

hMailServer: version 5.5.2.
The version 5.5.2 is fixed:
  https://www.hmailserver.com/download_getfile/?downloadid=236

HP Switch: solution for OpenSSL.
The solution is indicated in information sources.

HP-UX: fixed versions of OpenSSL.
Versions OpenSSL are fixed:
  https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=OPENSSL11I
  HP-UX B.11.11: version A.00.09.08zc.001_HP-UX_B.11.11_32+64.depot
  HP-UX B.11.23: version A.00.09.08zc.002a_HP-UX_B.11.23_IA-PA.depot
  HP-UX B.11.31: version A.00.09.08zc.003_HP-UX_B.11.31_IA-PA.depot

IBM Tivoli Workload Scheduler: solution for OpenSSL.
The solution is indicated in information sources.

McAfee: solution for OpenSSL.
The solution is indicated in information sources.

NetBSD: patch for OpenSSL.
A patch is available in information sources.

openSUSE: new libopenssl0_9_8 packages.
New packages are available:
  openSUSE 13.2: libopenssl0_9_8 0.9.8zh-9.3.1
  openSUSE Leap 42.1: libopenssl0_9_8 0.9.8zh-14.1

openSUSE: new openssl packages.
New packages are available:
  openSUSE 12.3: openssl 1.0.1j-1.68.1
  openSUSE 13.1: openssl 1.0.1j-11.56.1
  openSUSE 13.2: openssl 1.0.1j-2.4.1

Puppet Enterprise: version 3.7.0.
The version 3.7.0 is fixed:
  http://puppetlabs.com/

Slackware: new openssl packages.
New packages are available:
  Slackware 13.0: openssl 0.9.8zc-i486-1_slack13.0
  Slackware 13.1: openssl 0.9.8zc-i486-1_slack13.1
  Slackware 13.37: openssl 0.9.8zc-i486-1_slack13.37
  Slackware 14.0: openssl 1.0.1j-i486-1_slack14.0
  Slackware 14.1: openssl 1.0.1j-i486-1_slack14.1

Snare Enterprise Agent: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

Solaris 11.2: patch for OpenSSL.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1936662.1

SUSE LE 11: new openssl 0.9.8 packages.
New packages are available:
  SUSE LE 11: openssl 0.9.8j-0.66.1

SUSE LE 11: new openssl packages.
New packages are available, as indicated in information sources.

VMware ESXi 5.0: patch ESXi500-201502001.
A patch is available:
  http://kb.vmware.com/kb/2101910

VMware ESXi 5.1: patch ESXi510-201503001.
A patch is available:
  http://kb.vmware.com/kb/2099286

VMware ESXi 5.5: patch ESXi550-201501001.
A patch is available:
  ESXi550-201501001.zip
  http://kb.vmware.com/kb/2099265

VMware vCenter Server: version 5.5 Update 2d.
The version 5.5 Update 2d is fixed:
  https://www.vmware.com/go/download-vsphere

WinSCP: version 5.5.6.
The version 5.5.6 is fixed:
  http://winscp.net/eng/download.php
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides network vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The technology watch team tracks security threats targeting the computer system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.