Public Date:
2015-B-0007, 2015-B-0012, 2015-B-0013, 2015-B-0014
1152961: CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash
A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server.

Find out more about CVE-2014-3567 from the MITRE CVE dictionary dictionary and NIST NVD.


This issue does not affect the version of openssl shipped with Red Hat Enterprise Linux 5; Red Hat JBoss Enterprise Application Server 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 because openssl-0.9.8e does not include support for session tickets.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
RHEV Hypervisor for RHEL-6 (rhev-hypervisor6) RHSA-2015:0126 2015-02-04
Red Hat Enterprise Linux 6 (openssl) RHSA-2014:1652 2014-10-16
Red Hat Enterprise Linux 7 (openssl) RHSA-2014:1652 2014-10-16
Red Hat Storage Server 2.1 (openssl) RHSA-2014:1692 2014-10-22

Affected Packages State

Platform Package State
Red Hat JBoss EWS 2 openssl Not affected
Red Hat JBoss EWS 1 openssl Not affected
Red Hat JBoss EAP 6 openssl Not affected
Red Hat JBoss EAP 5 openssl Not affected
Red Hat Enterprise Linux 7 openssl098e Not affected
Red Hat Enterprise Linux 5 openssl Not affected
Red Hat Enterprise Linux 5 openssl097a Not affected
RHEV Manager 3 mingw-virt-viewer Will not fix

External References

Last Modified