Bug 1127502 (CVE-2014-3507)

Summary: CVE-2014-3507 openssl: DTLS memory leak from zero-length fragments
Product: [Other] Security Response Reporter: Andrew Griffiths <agriffit>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, apevec, ayoung, bmcclain, cdewolf, cfergeau, chrisw, dallan, dandread, darran.lofthouse, dblechte, dgregor, erik-fedora, fdeutsch, fnasser, gkotton, grocha, huwang, idith, jason.greene, jawilson, jclere, jdoyle, jgreguske, lgao, lhh, lpeer, markmc, mnewsome, myarboro, nlevinki, pgier, pslavice, pstehlik, rbryant, rfortier, rhs-bugs, rh-spice-bugs, rjones, rsvoboda, sclewis, srevivo, tmraz, vtunka, weli, ycui, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.1i, openssl 1.0.0n, openssl 0.9.8zb Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1127695, 1127696, 1127697, 1127698, 1127704, 1127705, 1127709, 1128405, 1128406, 1128961, 1181611    
Bug Blocks: 1127468, 1127506    

Description Andrew Griffiths 2014-08-07 02:06:15 UTC
It was found that an attacker could force OpenSSL to leak memory and never free it via DTLS packets.

Comment 1 Arun Babu Neelicattu 2014-08-07 05:52:43 UTC
External References:

https://www.openssl.org/news/secadv_20140806.txt

Comment 5 Tomas Hoger 2014-08-07 11:33:27 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1127704]

Comment 6 Tomas Hoger 2014-08-07 11:33:32 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1127705]

Comment 7 Tomas Hoger 2014-08-07 11:39:26 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1127709]

Comment 8 Tomas Hoger 2014-08-07 14:33:10 UTC
This did not affect openssl packages in Red Hat Enterprise Linux 5 (based on upstream 0.9.8e) and openssl 1.0.0 packages in Red Hat Enterprise Linux 6 (i.e. packages released before RHBA-2013:1585, which rebased openssl from 1.0.0 to 1.0.1e).  Issue was introduced upstream in versions 0.9.8o and 1.0.0a via the following change:

https://rt.openssl.org/Ticket/Display.html?id=2230&user=guest&pass=guest
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=c713a4c
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1507f3a

Comment 9 Fedora Update System 2014-08-09 07:34:38 UTC
openssl-1.0.1e-39.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-08-09 07:35:47 UTC
openssl-1.0.1e-39.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Martin Prpič 2014-08-12 07:42:58 UTC
IssueDescription:

A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory.

Comment 13 errata-xmlrpc 2014-08-13 21:33:40 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1052 https://rhn.redhat.com/errata/RHSA-2014-1052.html

Comment 14 errata-xmlrpc 2014-08-14 04:45:10 UTC
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:1054 https://rhn.redhat.com/errata/RHSA-2014-1054.html

Comment 15 Vincent Danen 2014-08-20 14:38:31 UTC
Statement:

This did not affect openssl packages in Red Hat Enterprise Linux 5 (based on upstream 0.9.8e) and openssl 1.0.0 packages in Red Hat Enterprise Linux 6 (i.e. packages released before RHBA-2013:1585, which rebased openssl from 1.0.0 to 1.0.1e).  The issue was introduced upstream in versions 0.9.8o and 1.0.0a.