Description

The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.

References

• SUSE-SUSE-SU-2015:0578
• SUSE-SUSE-SU-2015:0743
• SECUNIA-58337
• SECUNIA-58615
• SECUNIA-58667
• SECUNIA-58713
• SECUNIA-58714
• SECUNIA-58716
• SECUNIA-58742
• SECUNIA-58945
• SECUNIA-58977
• SECUNIA-59167
• SECUNIA-59175
• SECUNIA-59189
• SECUNIA-59192
• SECUNIA-59223
• SECUNIA-59264
• SECUNIA-59282
• SECUNIA-59284
• SECUNIA-59287
• SECUNIA-59306
• SECUNIA-59310
• SECUNIA-59340
• SECUNIA-59362
• SECUNIA-59364
• SECUNIA-59365
• SECUNIA-59431
• SECUNIA-59437
• SECUNIA-59440
• SECUNIA-59441
• SECUNIA-59445
• SECUNIA-59449
• SECUNIA-59460
• SECUNIA-59483
• SECUNIA-59518
• SECUNIA-59525
• SECUNIA-61254
• GENTOO-GLSA-201407-05
• MANDRIVA-MDVSA-2014:105
• MANDRIVA-MDVSA-2014:106
• MANDRIVA-MDVSA-2015:062
• BID-67898
• NVD-CVE-2014-3470
• UBUNTU-USN-2232-1
• DEBIAN-DLA-0003-1
• DEBIAN-DSA-2950

Solution

Related Vulnerabilities

• RHSA-2014:0679: openssl security update
• VMware Workstation: OpenSSL update for multiple products (VMSA-2014-0006) (CVE-2014-3470)
• Cisco NX-OS: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products (Multiple CVEs)
• VMSA-2014-0006: OpenSSL update for multiple products. (CVE-2014-3470)
• Oracle Linux: CVE-2014-3470: ELSA-2016-3558 - openssl security update
• HP System Management Homepage - HPSBMU03051 (CVE-2014-3470): OpenSSL on Linux and Windows, Remote Denial of Service (DoS), Code Execution, Unauthorized Access, Disclosure of Information
• Cent OS: CVE-2014-3470: CESA-2014:0625 (openssl)
• ELSA-2014-0679 Important: Oracle Linux openssl security update
• FreeBSD: OpenSSL -- multiple vulnerabilities (FreeBSD-SA-14:14.openssl) (Multiple CVEs)
• RHSA-2014:0625: openssl security update
• DSA-2950-1 openssl -- security update
• OS X update for Note: (CVE-2014-3470)
• Cisco SAN-OS: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products (Multiple CVEs)
• ELSA-2014-0625 Important: Oracle Linux openssl security update
• Alpine Linux: CVE-2014-3470: openssl multiple issues
• OS X update for OpenSSL (CVE-2014-3470)
• ELSA-2014-1652 Important: Oracle Linux openssl security update
• Oracle Solaris 11: CVE-2014-3470: Vulnerability in OpenSSL
• OpenSSL Anonymous ECDH denial of service (CVE-2014-3470)
• VMware Player: OpenSSL update for multiple products (VMSA-2014-0006) (CVE-2014-3470)
• HP-UX: CVE-2014-3470: Remote Code Execution or Unauthorized Accesss
• SUSE: CVE-2014-3470: SUSE Linux Security Advisory
• Gentoo Linux: CVE-2014-3470: OpenSSL: Multiple vulnerabilities
• IBM AIX: openssl_advisory9 (CVE-2014-3470): Vulnerabilities in OpenSSL affects AIX
• Amazon Linux AMI: Security patch for openssl (ALAS-2014-349) (multiple CVEs)
• VMware Fusion: OpenSSL update for multiple products (VMSA-2014-0006) (CVE-2014-3470)
• USN-2232-1: OpenSSL vulnerabilities
• Cisco IOS: cisco-sa-20140605-openssl: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products