Bug 911399 (CVE-2014-3569)

Summary: VUL-0: CVE-2014-3569: openssl: remote denial of service when built with no-ssl3
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Vítězslav Čížek <vcizek>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2014-12-30 20:19:15 UTC
via nvd

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does not properly handle attempts to use unsupported protocols, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an unexpected handshake, as demonstrated by an SSLv3 handshake to a no-ssl3 application with certain error handling. NOTE: this issue became relevant after the CVE-2014-3568 fix.






Comment 1 Marcus Meissner 2014-12-30 20:23:16 UTC
we still built with ssl3 even in factory.

-> not affected by this problem.
Comment 2 Marcus Meissner 2014-12-30 20:24:21 UTC
CVE-2014-3569,20141230,NOTE:We so far are building openssl with ssl3 enabled, so this problem does not affect our packages.
Comment 3 Marcus Meissner 2015-01-08 16:09:38 UTC

no-ssl3 configuration sets method to NULL (CVE-2014-3569)

Severity: Low

When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is
received the ssl method would be set to NULL which could later result in
a NULL pointer dereference.

This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The
fix was developed by Kurt Roeckx.
Comment 4 Bernhard Wiedemann 2015-01-09 12:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (911399) was mentioned in
https://build.opensuse.org/request/show/280570 Factory / openssl
Comment 5 Swamp Workflow Management 2015-01-23 19:05:21 UTC
openSUSE-SU-2015:0130-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 911399,912014,912015,912018,912292,912293,912294,912296
CVE References: CVE-2014-3569,CVE-2014-3570,CVE-2014-3571,CVE-2014-3572,CVE-2014-8275,CVE-2015-0204,CVE-2015-0205,CVE-2015-0206
Sources used:
openSUSE 13.2 (src):    openssl-1.0.1k-2.16.2
openSUSE 13.1 (src):    openssl-1.0.1k-11.64.2