CVE-2014-3568

Impact:
Low
Public Date:
2014-10-15
IAVA:
2015-B-0007, 2015-B-0012, 2015-B-0013, 2015-B-0014
Bugzilla:
1152967: CVE-2014-3568 openssl: Build option no-ssl3 is incomplete

The MITRE CVE dictionary describes this issue as:

OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j does not properly enforce the no-ssl3 build option, which allows remote attackers to bypass intended access restrictions via an SSL 3.0 handshake, related to s23_clnt.c and s23_srvr.c.

Find out more about CVE-2014-3568 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Not vulnerable. The versions of openssl package as shipped in Red Hat Enterprise Linux 5, 6 and 7; Red Hat JBoss Enterprise Application Platform 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 are not build with the "no-ssl3" option and therefore are not vulnerable to this security flaw.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 2.6
Base Metrics AV:N/AC:H/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat JBoss Web Server 3.0 openssl Not affected
Red Hat JBoss EWS 2 openssl Not affected
Red Hat JBoss EWS 1 openssl Not affected
Red Hat JBoss EAP 6 openssl Not affected
Red Hat JBoss EAP 5 openssl Not affected
Red Hat Enterprise Linux 7 openssl Not affected
Red Hat Enterprise Linux 6 openssl Not affected
Red Hat Enterprise Linux 5 openssl Not affected

Mitigation

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.