SB2014052903 - NULL pointer dereference in openssl (Alpine package)
Published: May 29, 2014
Security Bulletin ID
SB2014052903
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) NULL pointer dereference (CVE-ID: CVE-2014-0198)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.The vulnerability exists due to a NULL pointer dereference error in the in the do_ssl3_write() function in OpenSSL. A remote attacker can send a specially crafted request to vulnerable application and trigger denial of service attack.
Successful exploitation of the vulnerability requires that SSL_MODE_RELEASE_BUFFERS is enabled.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=c7c8818b7203c5ff58dd5f7d03f7e47cb681348d
- https://git.alpinelinux.org/aports/commit/?id=ac8ec244eb5c39536570aaa2ada3a5695ef6e773
- https://git.alpinelinux.org/aports/commit/?id=089bdcf0042be951c8af56aafe9a2b6a30e50feb
- https://git.alpinelinux.org/aports/commit/?id=d0064f3f832a9d56c6002a3d397bf7e03457ecec