Bug 1180185 (CVE-2014-3572)
Summary: | CVE-2014-3572 openssl: ECDH downgrade bug fix | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | carnil, cdewolf, chrisw, dandread, darran.lofthouse, erich, grocha, jason.greene, jawilson, jclere, jdoyle, john.haxby, lgao, myarboro, nlevinki, pslavice, rfortier, rhs-bugs, rsvoboda, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | OpenSSL 1.0.1k, OpenSSL 1.0.0p, OpenSSL 0.9.8zd | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that OpenSSL would perform an ECDH key exchange with a non-ephemeral key even when the ephemeral ECDH cipher suite was selected. A malicious server could make a TLS/SSL client using OpenSSL use a weaker key exchange method than the one requested by the user.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-20 10:48:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1180189, 1181015, 1181016, 1181017, 1181018 | ||
Bug Blocks: | 1180194 |
Description
Vasyl Kaigorodov
2015-01-08 15:18:01 UTC
Upstream commit that looks to fix the problem: https://github.com/openssl/openssl/commit/b15f8769644b00ef7283521593360b7b2135cb63 External References: https://www.openssl.org/news/secadv_20150108.txt I am not sure whether this affects also the ephemeral DH ciphersuites or not. The patch adds the requirement for ServerKeyExchange message for ephemeral DH as well. Statement: This issue does not affect the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:0066 https://rhn.redhat.com/errata/RHSA-2015-0066.html |