Bug 1103586 - (CVE-2014-0224) CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20140605,repo...
: Security
Depends On: 1096233 1096234 1103604 1103605 1103606 1103607 1103608 1103609 1103610 1103611 1103632 1103633 1103634 1103635 1103653 1103654 1103655 1103656 1103657 1103659 1103723 1103724 1103741 1103885 1103886 1103887 1103888 1103889 1103890 1104349 1104350 1127888 1127889
Blocks: 1103601 1103903 1103904 1103905
  Show dependency treegraph
 
Reported: 2014-06-02 03:17 EDT by Huzaifa S. Sidhpurwala
Modified: 2016-04-26 14:20 EDT (History)
52 users (show)

See Also:
Fixed In Version: openssl 1.0.1h, openssl 1.0.0m, openssl 0.9.8za
Doc Type: Bug Fix
Doc Text:
It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-11 01:28:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Upstream patch (3.32 KB, patch)
2014-06-02 04:30 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff

  None (edit)
Description Huzaifa S. Sidhpurwala 2014-06-02 03:17:00 EDT
It was found that OpenSSL was vulnerable to a SSL/TLS MITM vulnerability. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

As per the upstream advisory:

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.


Acknowledgements:

Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue.
Comment 4 Huzaifa S. Sidhpurwala 2014-06-02 04:30:26 EDT
Created attachment 901373 [details]
Upstream patch
Comment 21 Tomas Hoger 2014-06-05 07:39:35 EDT
Fixed upstream in versions 1.0.1h, 1.0.0m and 0.9.8za.
Comment 22 errata-xmlrpc 2014-06-05 07:54:06 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0625 https://rhn.redhat.com/errata/RHSA-2014-0625.html
Comment 23 errata-xmlrpc 2014-06-05 07:54:49 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0624 https://rhn.redhat.com/errata/RHSA-2014-0624.html
Comment 24 errata-xmlrpc 2014-06-05 08:04:43 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0626 https://rhn.redhat.com/errata/RHSA-2014-0626.html
Comment 25 Huzaifa S. Sidhpurwala 2014-06-05 08:12:30 EDT
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1096233]
Comment 26 Huzaifa S. Sidhpurwala 2014-06-05 08:12:34 EDT
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1096234]
Comment 27 errata-xmlrpc 2014-06-05 08:15:57 EDT
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0628 https://rhn.redhat.com/errata/RHSA-2014-0628.html
Comment 28 errata-xmlrpc 2014-06-05 08:16:41 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4 Extended Lifecycle Support
  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 EUS - Server Only
  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.2 AUS

Via RHSA-2014:0627 https://rhn.redhat.com/errata/RHSA-2014-0627.html
Comment 29 Vincent Danen 2014-06-05 10:52:32 EDT
IssueDescription:

It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.
Comment 30 errata-xmlrpc 2014-06-05 10:57:29 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:0633 https://rhn.redhat.com/errata/RHSA-2014-0633.html
Comment 31 errata-xmlrpc 2014-06-05 10:58:26 EDT
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2014:0632 https://rhn.redhat.com/errata/RHSA-2014-0632.html
Comment 32 errata-xmlrpc 2014-06-05 10:58:42 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:0630 https://rhn.redhat.com/errata/RHSA-2014-0630.html
Comment 33 errata-xmlrpc 2014-06-05 10:58:57 EDT
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2014:0629 https://rhn.redhat.com/errata/RHSA-2014-0629.html
Comment 34 errata-xmlrpc 2014-06-05 11:27:57 EDT
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.3

Via RHSA-2014:0631 https://rhn.redhat.com/errata/RHSA-2014-0631.html
Comment 35 Fedora Update System 2014-06-05 17:53:51 EDT
openssl-1.0.1e-38.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 36 Fedora Update System 2014-06-05 17:54:48 EDT
openssl-1.0.1e-38.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 37 errata-xmlrpc 2014-06-10 08:25:01 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0680 https://rhn.redhat.com/errata/RHSA-2014-0680.html
Comment 38 errata-xmlrpc 2014-06-10 08:28:15 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0679 https://rhn.redhat.com/errata/RHSA-2014-0679.html
Comment 41 Tomas Hoger 2014-08-07 14:38:37 EDT
Created mingw32-openssl tracking bugs for this issue:

Affects: epel-5 [bug 1127888]

Note You need to log in before you can comment on or make changes to this bug.