Bug 1127500 (CVE-2014-3506) - CVE-2014-3506 openssl: DTLS memory exhaustion
Summary: CVE-2014-3506 openssl: DTLS memory exhaustion
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3506
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1127695 1127696 1127697 1127698 1127704 1127705 1127709 1127831 1127832 1127885 1128013 1128014 1128015 1128016 1128405 1128406 1128961 1181611
Blocks: 1127468 1127506 1138223 1142543
TreeView+ depends on / blocked
 
Reported: 2014-08-07 02:03 UTC by Andrew Griffiths
Modified: 2021-02-17 06:18 UTC (History)
63 users (show)

Fixed In Version: openssl 1.0.1i, openssl 1.0.0n, openssl 0.9.8zb
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory.
Clone Of:
Environment:
Last Closed: 2014-09-24 17:43:27 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1052 0 normal SHIPPED_LIVE Moderate: openssl security update 2014-08-14 01:32:03 UTC
Red Hat Product Errata RHSA-2014:1053 0 normal SHIPPED_LIVE Moderate: openssl security update 2014-08-13 22:18:41 UTC
Red Hat Product Errata RHSA-2014:1054 0 normal SHIPPED_LIVE Moderate: openssl security update 2014-08-14 08:44:38 UTC
Red Hat Product Errata RHSA-2014:1256 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.1.0 openssl security update 2014-09-17 20:30:52 UTC
Red Hat Product Errata RHSA-2014:1297 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3 openssl security update 2014-09-24 20:53:55 UTC

Description Andrew Griffiths 2014-08-07 02:03:52 UTC
A vulnerability in the processing of DTLS handshake messages was found that results in large amounts of memory being used. Once the Denial Of Service attack has ceased, the memory will be freed.

Comment 1 Arun Babu Neelicattu 2014-08-07 05:52:39 UTC
External References:

https://www.openssl.org/news/secadv_20140806.txt

Comment 5 Tomas Hoger 2014-08-07 11:32:37 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1127704]

Comment 6 Tomas Hoger 2014-08-07 11:32:43 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1127705]

Comment 7 Tomas Hoger 2014-08-07 11:39:06 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1127709]

Comment 10 Tomas Hoger 2014-08-07 18:35:40 UTC
Created mingw32-openssl tracking bugs for this issue:

Affects: epel-5 [bug 1127885]

Comment 12 Fedora Update System 2014-08-09 07:34:32 UTC
openssl-1.0.1e-39.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-08-09 07:35:41 UTC
openssl-1.0.1e-39.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Martin Prpič 2014-08-12 07:42:43 UTC
IssueDescription:

A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory.

Comment 16 errata-xmlrpc 2014-08-13 18:19:15 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1053 https://rhn.redhat.com/errata/RHSA-2014-1053.html

Comment 17 errata-xmlrpc 2014-08-13 21:33:34 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1052 https://rhn.redhat.com/errata/RHSA-2014-1052.html

Comment 18 errata-xmlrpc 2014-08-14 04:45:04 UTC
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:1054 https://rhn.redhat.com/errata/RHSA-2014-1054.html

Comment 19 errata-xmlrpc 2014-09-17 16:31:15 UTC
This issue has been addressed in the following products:

  JBoss Web Server 2.1.0

Via RHSA-2014:1256 https://rhn.redhat.com/errata/RHSA-2014-1256.html

Comment 20 errata-xmlrpc 2014-09-24 16:54:24 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.3.0

Via RHSA-2014:1297 https://rhn.redhat.com/errata/RHSA-2014-1297.html


Note You need to log in before you can comment on or make changes to this bug.