CVE-2014-3572 | Vulnerability Database | Aqua Security

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.

Affected Software

Name	Vendor	Start Version	End Version
Openssl	Openssl	*	0.9.8zc (including)
Openssl	Openssl	1.0.0a (including)	1.0.0a (including)
Openssl	Openssl	1.0.0b (including)	1.0.0b (including)
Openssl	Openssl	1.0.0c (including)	1.0.0c (including)
Openssl	Openssl	1.0.0d (including)	1.0.0d (including)
Openssl	Openssl	1.0.0e (including)	1.0.0e (including)
Openssl	Openssl	1.0.0f (including)	1.0.0f (including)
Openssl	Openssl	1.0.0g (including)	1.0.0g (including)
Openssl	Openssl	1.0.0h (including)	1.0.0h (including)
Openssl	Openssl	1.0.0i (including)	1.0.0i (including)
Openssl	Openssl	1.0.0j (including)	1.0.0j (including)
Openssl	Openssl	1.0.0k (including)	1.0.0k (including)
Openssl	Openssl	1.0.0l (including)	1.0.0l (including)
Openssl	Openssl	1.0.0m (including)	1.0.0m (including)
Openssl	Openssl	1.0.0n (including)	1.0.0n (including)
Openssl	Openssl	1.0.0o (including)	1.0.0o (including)
Openssl	Openssl	1.0.1a (including)	1.0.1a (including)
Openssl	Openssl	1.0.1b (including)	1.0.1b (including)
Openssl	Openssl	1.0.1c (including)	1.0.1c (including)
Openssl	Openssl	1.0.1d (including)	1.0.1d (including)
Openssl	Openssl	1.0.1e (including)	1.0.1e (including)
Openssl	Openssl	1.0.1f (including)	1.0.1f (including)
Openssl	Openssl	1.0.1g (including)	1.0.1g (including)
Openssl	Openssl	1.0.1h (including)	1.0.1h (including)
Openssl	Openssl	1.0.1i (including)	1.0.1i (including)
Openssl	Openssl	1.0.1j (including)	1.0.1j (including)
Openssl	Ubuntu	artful	*
Openssl	Ubuntu	bionic	*
Openssl	Ubuntu	cosmic	*
Openssl	Ubuntu	devel	*
Openssl	Ubuntu	disco	*
Openssl	Ubuntu	lucid	*
Openssl	Ubuntu	precise	*
Openssl	Ubuntu	trusty	*
Openssl	Ubuntu	upstream	*
Openssl	Ubuntu	utopic	*
Openssl	Ubuntu	vivid	*
Openssl	Ubuntu	vivid/stable-phone-overlay	*
Openssl	Ubuntu	vivid/ubuntu-core	*
Openssl	Ubuntu	wily	*
Openssl	Ubuntu	xenial	*
Openssl	Ubuntu	yakkety	*
Openssl	Ubuntu	zesty	*
Openssl098	Ubuntu	precise	*
Openssl098	Ubuntu	trusty	*
Openssl098	Ubuntu	upstream	*
Openssl098	Ubuntu	utopic	*
Openssl098	Ubuntu	vivid	*
Red Hat Enterprise Linux 6	RedHat	openssl-0:1.0.1e-30.el6_6.5	*
Red Hat Enterprise Linux 7	RedHat	openssl-1:1.0.1e-34.el7_0.7	*

References

http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10679
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
http://marc.info/?l=bugtraq\u0026m=142496179803395\u0026w=2
http://marc.info/?l=bugtraq\u0026m=142496289803847\u0026w=2
http://marc.info/?l=bugtraq\u0026m=142720981827617\u0026w=2
http://marc.info/?l=bugtraq\u0026m=142721102728110\u0026w=2
http://marc.info/?l=bugtraq\u0026m=142895206924048\u0026w=2
http://marc.info/?l=bugtraq\u0026m=143748090628601\u0026w=2
http://marc.info/?l=bugtraq\u0026m=144050155601375\u0026w=2
http://marc.info/?l=bugtraq\u0026m=144050205101530\u0026w=2
http://marc.info/?l=bugtraq\u0026m=144050254401665\u0026w=2
http://marc.info/?l=bugtraq\u0026m=144050297101809\u0026w=2
http://rhn.redhat.com/errata/RHSA-2015-0066.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl
http://www.debian.org/security/2015/dsa-3125
http://www.mandriva.com/security/advisories?name=MDVSA-2015:019
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/bid/71942
http://www.securitytracker.com/id/1033378
https://bto.bluecoat.com/security-advisory/sa88
https://github.com/openssl/openssl/commit/b15f8769644b00ef7283521593360b7b2135cb63
https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10102
https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10108
https://support.apple.com/HT204659
https://support.citrix.com/article/CTX216642
https://www.openssl.org/news/secadv_20150108.txt

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-3572
CWE	https://cwe.mitre.org/data/definitions/310.html