Bug 1152953 (CVE-2014-3513)
Summary: | CVE-2014-3513 openssl: SRTP memory leak causes crash when using specially-crafted handshake message | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | acathrow, bmcclain, cdewolf, cfergeau, cmmiller, dahjelle.redhat.com, dandread, darran.lofthouse, fnasser, grocha, huwang, idith, jason.greene, jawilson, jclere, jdoyle, just4nick, lgao, lsurette, michal.skrivanek, mjc, myarboro, pslavice, rh-spice-bugs, rsvoboda, sardella, security-response-team, srevivo, vtunka, weli, ykaul |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 1.0.1j | Doc Type: | Bug Fix |
Doc Text: |
A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-20 10:46:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1152854, 1152855, 1152856, 1152857, 1154551 | ||
Bug Blocks: | 1152790, 1155552 |
Description
Huzaifa S. Sidhpurwala
2014-10-15 09:27:43 UTC
Upstream patch: OpenSSL-1.0.1: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2b0532f3984324ebe1236a63d15893792384328d IssueDescription: A memory leak flaw was found in the way OpenSSL parsed the DTLS Secure Real-time Transport Protocol (SRTP) extension data. A remote attacker could send multiple specially crafted handshake messages to exhaust all available memory of an SSL/TLS or DTLS server. Fixed upstream in OpenSSL version 1.0.1j: https://www.openssl.org/news/secadv_20141015.txt Statement: This issue did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 5, Red Hat JBoss Enterprise Application Platform 5 and 6, and Red Hat Enterprise JBoss Enterprise Web Server 1 and 2. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1652 https://rhn.redhat.com/errata/RHSA-2014-1652.html This issue has been addressed in the following products: Red Hat Storage 2.1 Via RHSA-2014:1692 https://rhn.redhat.com/errata/RHSA-2014-1692.html |