OpenSSL vulnerability CVE-2014-0224
My customer want to know whether ASE is affected by the following OpenSSL vulnerability in http://www.openssl.org/news/secadv_20140605.txt
SSL/TLS MITM vulnerability (CVE-2014-0224),
DTLS recursion flaw (CVE-2014-0221)
DTLS invalid fragment vulnerability (CVE-2014-0195)
SSL_MODE_RELEASE_BUFFERS NULL pointer dereference (CVE-2014-0198)
SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298)
Anonymous ECDH denial of service (CVE-2014-3470)
Can you help me to confirm the above question?
You have clearly double posted this question in two groups.
So the first question goes back to you.
Are you Running SAP Applications on ASE, if so this is not the proper group?
Similar Messages
-
High Risk on DMP 4400 and 4310 "OpenSSL MITM CVE-2014-0224"
I cannot find a patch to fix the problem - is there a fix or should I create a TAC case?
DMM version - 5.3.0
4310 and 4400 - version 5.4.1Here is what I received for the Dell Response to Openssl vulnerability.
After a couple of calls to technical support here is what I'm getting for my iDRAC7 getting flagged by Foundstone security scans for the vulnerability CVE-2014-0224:
" The OPEN SSL package used here contains multiple components, the component that is impacted and vulnerable is not being used, other components in this package are being used but aren't vulnerable".
"Dell has determined that the products listed in the attached document are not affected by the vulnerabilities. Some products have leveraged an older (but not vulnerable) OpenSSL module. These could be flagged by a scanner. Dell is currently working on updating the modules to a version that will not be flagged for these issues".
I've also attempted to upload the document, hopefully it can be viewed or downloaded.
If this post has helped you please rate it.
Thanks
2376.Dell-ResponseOpenSSLSecurityAdvisory_05_June_2014_final.pdf -
Hi Everyone,
We have multiple switches being found that have this vulnerability CVE-2014-0224 known as OpenSSL Change CipherSpec Vulnerability. This affects our CATALYST 3750v2 switches is there any mitigations or workaround on this vulnerability other than upgrading its IOS.
Thank you
SherwinFirstly, I think you've posted this in the wrong section of the forums (TelePresence).
But, if you read the notices in detail, and especially the ones for each specific product, they will usually let you know a workaround if there is one.
For some of these vulnerabilities mentioned, you need to have physical access to the box, so making sure they're in a secured location is a good first step. -
OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224
Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice
Hi,
From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
https://www.openssl.org/news/vulnerabilities.html
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
CVE-2014-0224: 5th June 2014
An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
If you have any feedback on our support, please send to [email protected] -
CSCuq79267 - UCS Apache 2.2 Vulnerability CVE-2014-0118
I too am seeing this same behavior. Nessus has found this, and 3 other, vulnerabilities with the Apache version provided by the UCS platform.
Any fixes in the works? We are currently running firmware 2.2(3c). The release notes for 2.2(3d) and 2.2(3e) do not address CVE-2014-0118.
EDIT:
2.2(3f) also does not address these vulnerabilities. Does the UCS version of Apache use the modules that are found faulty according to Nessus?
Nessus is also reporting the following CVEs related to this one: CVE-2013-6438, CVE-2014-0098, CVE-2013-5704, CVE-2014-0226, and CVE-2014-0231.Hi,
Please refer this links,
Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it looks | Symantec Connect
https://rhn.redhat.com/errata/RHSA-2015-0090.html
Regards,
S27 -
Schannel and TLS 1.x padding vulnerability (CVE-2014-8730)
Hi all,
Is the implementation of TLS by Microsoft Secure Channel (Schannel) (http://msdn.microsoft.com/en-us/library/windows/desktop/aa380123%28v=vs.85%29.aspx) affected by "CVE-2014-8730 TLS 1.x padding vulnerability"?
Please see the following links for more details about this vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730
https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls
Is there a confirmation from Microsoft that Schannel is not affected by this vulnerability?
Regards,
SanjayNo, Microsoft SChannell is not affected.Only F5 products are affected:
http://www.securityfocus.com/bid/71549
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool.
i know some Windows 2008 System which are affected?! Why? -
Hi ,
Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS - n7000-s1-dk9.5.1.3.bin
https://tools.cisco.com/bugsearch/bug/CSCur04856
5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
Thanks for help in advance .The concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
Bash patch did not fix vulnerability CVE-2014-7169, please fix
The latest patch for Bash bug that I just installed for Mavericks took care of the CVE-2014-6172 vulnerability though from my testing CVE-2014-7169 is still vulnerable. Please fix all Bash vulnerabilities soon.
Apple is on record as saying:
The vast majority of OS X users are not at risk to recently reported bash vulnerabilities," an Apple spokesperson told iMore. "Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services.
You do not appear to be running any of these advanced UNIX services, so can you tell us exactly what your concern is?
Also, my testing shows that CVE-2014-7169 is fixed by using this test:
env X='() { (a)=>\' sh -c "echo date"; cat echo; rm ./echo
Did you forget to delete the file "echo" from your home folder by any chance? -
Mitigting SSL v3 POODLE Vulnerability (CVE-2014-3566)
Hi all,
Another day, another vulnerability. Feel like we are swimming against the tide.
Now, SSL v3 has been shown to be vulnerable (looks like a protocol issue, not an implementation issue, so patches are doubtful) and so I am looking at what we can do to mitigate this. Clients (such as IE, Firefox and Chrome (sort of)) can be set to disable SSL v3, but rolling this out across an Enterprise might not be that easy.
In IIS (that would be running TMS) you can switch off SSL v3 via a reg edit, but are there any knock on effect? What about the web services built into CODECs, MCUs and other infrastructure devices - can SSL v3 be switched off?
Look forward to the responses.
Cheers
ChrisHi All,
This tidbit is not Cisco orientated per se, but some of you might find it useful (if you haven't found the info yourselves already (it's what I sent around to my team here):
There are many things you can do to mitigate this vulnerability, as you can also disable SSL3 in various clients (although this might affect communication with legacy systems)
Firefox – Version 34 (due for release at the end of November) will disable SSL v3 by default, but they have released a plug in that can disable this immediately. See https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
IE – You can turn off SSL 3 from the Settings -->Internet Options --> Advanced --> Security, section however, if you find that the options to check SSL/TLS are greyed out (as they are on my machine), this maybe a hang over from previous security software installation.
However, I will override this using GPO so domain joined PCs will have this setting updated. The GPO applied to the domain is:
Computer Setting --> Administrative Templates --> Windows Components --> Internet Explorer --> Internet Control Panel --> Advanced Page --> Turn Off Encryption Support = TLS 1.0, TLS 1.1, and TLS 1.2 ONLY
Chrome – This is a little more difficult. It seem you can only do this at this moment in time by adding a switch to the start-up command (you can modify the shortcut on either Windows or Mac). Check out https://zmap.io/sslv3/browsers.html -
DNS vulnerability - CVE-2014-8500
Hello,
I have an mavericks server. where DNS service is active.
Have you got a patch for this security vulnerability (does not limit delegation chaining, which allows remote attackers to cause a denial of service) ?
Thanks
GillesYou can do nothing, or you can configure BIND to relay queries for external hosts to another server instead of resolving them recursively.
-
IOS 7.06 SSL vulnerability CVE 2014-1266
Apple begins to fix the problems with SSL validation that can lead to MITM attacks. If they choose to move a step further they can also validate a DN which corresponds to a Directory entry and enable another layer of security. If certificates are going to be used for business and medical uses a failure to authenticate critical parts of the certificate detailed in RFC-5280 will lead to economic losses and potential medical errors.
What is your question for us, your fellow users, in these user to user support forums?
-
[CVE-2014-6271] IronPort appliances affected by recent bash vulnerability?
http://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x
Discussion?Cisco has issued an official PSIRT notice for the GNU Bash Environmental Variable Command Injection Vulnerability (CVE-2014-6271), please refer all inquiries to:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
Please refer to the expanded "Affected Products".
The following Cisco products are currently under investigation:
Cable Modems
Cisco CWMS
Network Application, Service, and Acceleration
Cisco ACE GSS 4400 Series Global Site Selector
Cisco ASA
Cisco GSS 4492R Global Site Selector
Network and Content Security Devices
Cisco IronPort Encryption Appliance
Cisco Ironport WSA
Routing and Switching - Enterprise and Service Provider
Cisco ACE Application Control Engine Module for the Cisco Catalyst 6500
Cisco ISM
Cisco NCS6000
Voice and Unified Communications Devices
Cisco Finesse
Cisco MediaSense
Cisco SocialMiner
Cisco Unified Contact Center Express (UCCX)
Products and services listed in the subsections below have had their exposure to this vulnerability confirmed. Additional products will be added to these sections as the investigation continues. -
Openssl vulnerability -- Adobe Connect 8.2
What is the supported patch / fix for Adobe Connect 8.2 and Openssl vulnerabilities discovered over the last few months? I'm assuming it is due to an old stunnel implementation.
The remote service accepted an SSL ChangeCipherSpec message at an incorrect point in the handshake leading to weak keys being used, and then attempted to decrypt an SSL record using those weak keys.
CVE-2010-5298
CVE-2014-0076
CVE-2014-0195
CVE-2014-0198
CVE-2014-0221
CVE-2014-0224
CVE-2014-3470You should go and download the Stunnel application and replace the version included with Connect 8.2. stunnel: Downloads
So you are aware, Connect 9 and newer installers no longer come with Stunnel, So you will need to go to Stunnel's site to download the latest version when upgrading (unless you are already on the latest version). -
CVE-2014-0513 hotfix for CS5?
Hello,
I was checking to see if there is a hotfix for CS5 regarding this vulnerability: CVE-2014-0513
I have searched however it seems to only be for CS6 so wondering if CVE-2014-0513 even applies to CS5?
Please advise.
Thanks
ReggieHi Jacob,
Is there a post or something that lists it? I went to the link you posted but I didn't see a mention of CS5 for CVE-2014-0513
The only thing I saw was for CS6
CVE-2014-0513 : Stack-based buffer overflow in Adobe Illustrator CS6 before 16.0.5 and 16.2.x before 16.2.2 allows remot… -
CSCur27617: AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux
I wanted to know if the AnyConnect Secure Mobility Client would still be vulnerable to this if it was only connecting via SSL VPN (TLS) to an ASA that already has the workaround implemented on it (Disable SSLv3)?
Thanks,
Rob MieleHi Rob ,
According to the bug:
All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability
On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
Hope it helps
- Randy -
Maybe you are looking for
-
Contact disappeared from iPhone but not deleted from Address Book on sync
FYI, I have an iPhone 3G running iOS 4.2 (the latest), and I have never so much as thought about MobileMe. Until two days ago, I have had no reason to doubt that my iPhone's Contact list is the same as my MacBook's Address Book list. I now have no co
-
Reports saved in My Favourites can't be accessed
Hi, My access was revoked mistakenly. I've got back my access again. I'm unable to see my reports saved in My Favourites folder. Can I get my reports back in My Favourites folder? Thanks
-
Code for website to allow users to download free Reader
This is not the right forum, but I couldn't find one that applies, sorry. I'm adding some PDF files to my website for download, and I need to find the code that I can add to my website that will allow users to download the free Reader if they don't a
-
Cant login with apple id and pass. Cant download anything from App Store !
Hi when i try to download app from App Store it shows me login screen I fill all of them as true, but it says "Unknown Error. " and "There was an error in the App Store. Please try again later. (4) " I can't install any app. Help me
-
Setting language independently for each app
Before leopard we could set the language of each app independently (in the get info window) but now we are stuck with a system-wide setting. Is there any way to get the functionallity back? And I don't want to manage a separate user for each language