CVE-2014-3571 | Vulnerability Database | Aqua Security

OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted DTLS message that is processed with a different read operation for the handshake header than for the handshake body, related to the dtls1_get_record function in d1_pkt.c and the ssl3_read_n function in s3_pkt.c.

Affected Software

Name	Vendor	Start Version	End Version
Openssl	Openssl	*	0.9.8zc (including)
Openssl	Openssl	1.0.0a (including)	1.0.0a (including)
Openssl	Openssl	1.0.0b (including)	1.0.0b (including)
Openssl	Openssl	1.0.0c (including)	1.0.0c (including)
Openssl	Openssl	1.0.0d (including)	1.0.0d (including)
Openssl	Openssl	1.0.0e (including)	1.0.0e (including)
Openssl	Openssl	1.0.0f (including)	1.0.0f (including)
Openssl	Openssl	1.0.0g (including)	1.0.0g (including)
Openssl	Openssl	1.0.0h (including)	1.0.0h (including)
Openssl	Openssl	1.0.0i (including)	1.0.0i (including)
Openssl	Openssl	1.0.0j (including)	1.0.0j (including)
Openssl	Openssl	1.0.0k (including)	1.0.0k (including)
Openssl	Openssl	1.0.0l (including)	1.0.0l (including)
Openssl	Openssl	1.0.0m (including)	1.0.0m (including)
Openssl	Openssl	1.0.0n (including)	1.0.0n (including)
Openssl	Openssl	1.0.0o (including)	1.0.0o (including)
Openssl	Openssl	1.0.1a (including)	1.0.1a (including)
Openssl	Openssl	1.0.1b (including)	1.0.1b (including)
Openssl	Openssl	1.0.1c (including)	1.0.1c (including)
Openssl	Openssl	1.0.1d (including)	1.0.1d (including)
Openssl	Openssl	1.0.1e (including)	1.0.1e (including)
Openssl	Openssl	1.0.1f (including)	1.0.1f (including)
Openssl	Openssl	1.0.1g (including)	1.0.1g (including)
Openssl	Openssl	1.0.1h (including)	1.0.1h (including)
Openssl	Openssl	1.0.1i (including)	1.0.1i (including)
Openssl	Openssl	1.0.1j (including)	1.0.1j (including)
Red Hat Enterprise Linux 6	RedHat	openssl-0:1.0.1e-30.el6_6.5	*
Red Hat Enterprise Linux 7	RedHat	openssl-1:1.0.1e-34.el7_0.7	*
Openssl	Ubuntu	artful	*
Openssl	Ubuntu	bionic	*
Openssl	Ubuntu	cosmic	*
Openssl	Ubuntu	devel	*
Openssl	Ubuntu	disco	*
Openssl	Ubuntu	lucid	*
Openssl	Ubuntu	precise	*
Openssl	Ubuntu	trusty	*
Openssl	Ubuntu	upstream	*
Openssl	Ubuntu	utopic	*
Openssl	Ubuntu	vivid	*
Openssl	Ubuntu	vivid/stable-phone-overlay	*
Openssl	Ubuntu	vivid/ubuntu-core	*
Openssl	Ubuntu	wily	*
Openssl	Ubuntu	xenial	*
Openssl	Ubuntu	yakkety	*
Openssl	Ubuntu	zesty	*
Openssl098	Ubuntu	precise	*
Openssl098	Ubuntu	trusty	*
Openssl098	Ubuntu	upstream	*
Openssl098	Ubuntu	utopic	*
Openssl098	Ubuntu	vivid	*

References

http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147938.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148363.html
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq\u0026m=142496179803395\u0026w=2
http://marc.info/?l=bugtraq\u0026m=142496289803847\u0026w=2
http://marc.info/?l=bugtraq\u0026m=142721102728110\u0026w=2
http://marc.info/?l=bugtraq\u0026m=142895206924048\u0026w=2
http://marc.info/?l=bugtraq\u0026m=143748090628601\u0026w=2
http://marc.info/?l=bugtraq\u0026m=144050155601375\u0026w=2
http://marc.info/?l=bugtraq\u0026m=144050205101530\u0026w=2
http://marc.info/?l=bugtraq\u0026m=144050254401665\u0026w=2
http://marc.info/?l=bugtraq\u0026m=144050297101809\u0026w=2
http://rhn.redhat.com/errata/RHSA-2015-0066.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl
http://www.debian.org/security/2015/dsa-3125
http://www.mandriva.com/security/advisories?name=MDVSA-2015:019
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/bid/71937
http://www.securitytracker.com/id/1033378
https://bto.bluecoat.com/security-advisory/sa88
https://github.com/openssl/openssl/commit/248385c606620b29ecc96ca9d3603463f879652b
https://github.com/openssl/openssl/commit/feba02f3919495e1b960c33ba849e10e77d0785d
https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10102
https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10108
https://support.apple.com/HT204659
https://www.openssl.org/news/secadv_20150108.txt

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-3571
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html