Bug 1103586 (CVE-2014-0224) - CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
Summary: CVE-2014-0224 openssl: SSL/TLS MITM vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0224
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1096233 1096234 1103604 1103605 1103606 1103607 1103608 1103609 1103610 1103611 1103632 1103633 1103634 1103635 1103653 1103654 1103655 1103656 1103657 1103659 1103723 1103724 1103741 1103885 1103886 1103887 1103888 1103889 1103890 1104349 1104350 1127888 1127889
Blocks: 1103601 1103903 1103904 1103905
TreeView+ depends on / blocked
 
Reported: 2014-06-02 07:17 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-09-29 13:17 UTC (History)
51 users (show)

Fixed In Version: openssl 1.0.1h, openssl 1.0.0m, openssl 0.9.8za
Doc Type: Bug Fix
Doc Text:
It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.
Clone Of:
Environment:
Last Closed: 2014-06-11 05:28:24 UTC


Attachments (Terms of Use)
Upstream patch (3.32 KB, patch)
2014-06-02 08:30 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0624 normal SHIPPED_LIVE Important: openssl security update 2014-06-05 15:51:23 UTC
Red Hat Product Errata RHSA-2014:0625 normal SHIPPED_LIVE Important: openssl security update 2014-06-05 15:50:21 UTC
Red Hat Product Errata RHSA-2014:0626 normal SHIPPED_LIVE Important: openssl097a and openssl098e security update 2014-06-05 16:01:47 UTC
Red Hat Product Errata RHSA-2014:0627 normal SHIPPED_LIVE Important: openssl security update 2014-06-05 16:13:04 UTC
Red Hat Product Errata RHSA-2014:0628 normal SHIPPED_LIVE Important: openssl security update 2014-06-05 16:12:30 UTC
Red Hat Product Errata RHSA-2014:0629 normal SHIPPED_LIVE Important: rhev-hypervisor6 security update 2014-06-05 18:57:02 UTC
Red Hat Product Errata RHSA-2014:0630 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-06-05 18:56:58 UTC
Red Hat Product Errata RHSA-2014:0631 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.2.3 security update 2014-06-05 19:27:34 UTC
Red Hat Product Errata RHSA-2014:0632 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.0.1 openssl security update 2014-06-05 18:56:52 UTC
Red Hat Product Errata RHSA-2014:0633 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-06-05 18:56:31 UTC
Red Hat Product Errata RHSA-2014:0679 normal SHIPPED_LIVE Important: openssl security update 2014-06-10 16:23:51 UTC
Red Hat Product Errata RHSA-2014:0680 normal SHIPPED_LIVE Important: openssl098e security update 2014-06-10 16:23:43 UTC

Description Huzaifa S. Sidhpurwala 2014-06-02 07:17:00 UTC
It was found that OpenSSL was vulnerable to a SSL/TLS MITM vulnerability. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

As per the upstream advisory:

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.


Acknowledgements:

Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue.

Comment 4 Huzaifa S. Sidhpurwala 2014-06-02 08:30:26 UTC
Created attachment 901373 [details]
Upstream patch

Comment 21 Tomas Hoger 2014-06-05 11:39:35 UTC
Fixed upstream in versions 1.0.1h, 1.0.0m and 0.9.8za.

Comment 22 errata-xmlrpc 2014-06-05 11:54:06 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0625 https://rhn.redhat.com/errata/RHSA-2014-0625.html

Comment 23 errata-xmlrpc 2014-06-05 11:54:49 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0624 https://rhn.redhat.com/errata/RHSA-2014-0624.html

Comment 24 errata-xmlrpc 2014-06-05 12:04:43 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0626 https://rhn.redhat.com/errata/RHSA-2014-0626.html

Comment 25 Huzaifa S. Sidhpurwala 2014-06-05 12:12:30 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1096233]

Comment 26 Huzaifa S. Sidhpurwala 2014-06-05 12:12:34 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1096234]

Comment 27 errata-xmlrpc 2014-06-05 12:15:57 UTC
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0628 https://rhn.redhat.com/errata/RHSA-2014-0628.html

Comment 28 errata-xmlrpc 2014-06-05 12:16:41 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4 Extended Lifecycle Support
  Red Hat Enterprise Linux 5.6 Long Life
  Red Hat Enterprise Linux 5.9 EUS - Server Only
  Red Hat Enterprise Linux 6.3 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.4 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 6.2 AUS

Via RHSA-2014:0627 https://rhn.redhat.com/errata/RHSA-2014-0627.html

Comment 29 Vincent Danen 2014-06-05 14:52:32 UTC
IssueDescription:

It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.

Comment 30 errata-xmlrpc 2014-06-05 14:57:29 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:0633 https://rhn.redhat.com/errata/RHSA-2014-0633.html

Comment 31 errata-xmlrpc 2014-06-05 14:58:26 UTC
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2014:0632 https://rhn.redhat.com/errata/RHSA-2014-0632.html

Comment 32 errata-xmlrpc 2014-06-05 14:58:42 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:0630 https://rhn.redhat.com/errata/RHSA-2014-0630.html

Comment 33 errata-xmlrpc 2014-06-05 14:58:57 UTC
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2014:0629 https://rhn.redhat.com/errata/RHSA-2014-0629.html

Comment 34 errata-xmlrpc 2014-06-05 15:27:57 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.3

Via RHSA-2014:0631 https://rhn.redhat.com/errata/RHSA-2014-0631.html

Comment 35 Fedora Update System 2014-06-05 21:53:51 UTC
openssl-1.0.1e-38.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 36 Fedora Update System 2014-06-05 21:54:48 UTC
openssl-1.0.1e-38.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 37 errata-xmlrpc 2014-06-10 12:25:01 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0680 https://rhn.redhat.com/errata/RHSA-2014-0680.html

Comment 38 errata-xmlrpc 2014-06-10 12:28:15 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0679 https://rhn.redhat.com/errata/RHSA-2014-0679.html

Comment 41 Tomas Hoger 2014-08-07 18:38:37 UTC
Created mingw32-openssl tracking bugs for this issue:

Affects: epel-5 [bug 1127888]


Note You need to log in before you can comment on or make changes to this bug.