Bug 1166910 (CVE-2014-8104)
Summary: | CVE-2014-8104 openvpn: authenticated user can DoS OpenVPN by sending a too-short control channel packet to server | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | davids, falonso, fweimer, jrusnack, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | openvpn 2.3.6 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2014-12-18 21:17:32 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 1169487, 1169488 | ||||||
Bug Blocks: | 1166911 | ||||||
Attachments: |
|
Description
Vincent Danen
2014-11-21 23:12:37 UTC
Created attachment 960011 [details]
upstream patch
External References: http://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b Created openvpn tracking bugs for this issue: Affects: fedora-all [bug 1169487] Affects: epel-all [bug 1169488] Note that an update has been submitted for Fedora 21: https://admin.fedoraproject.org/updates/openvpn-2.3.6-1.fc21 Also note the following mitigating factors from the upstream announcement: """ Only tls-authenticated clients can trigger the vulnerability in the OpenVPN server. Thus both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. Note that username/password authentication does not protect against this exploit, and servers using --client-cert-not-required by definition have no client certificates to protect against this exploit. In particular VPN service providers are affected, because anyone can get their hands on the necessary client certificates and TLS auth keys. """ |