CVE-2014-0224

Advisory lineage Upstream: 0 Downstream: 22
Modified
Published: 05 Jun 2014, 21:00
Last modified:06 Aug 2024, 09:05

Vulnerability Summary

Overall Risk (default)
high
58/100
CVSS Score
7.4 HIGH
v3.1 (nvd)
EPSS Score
89.69% CRITICAL
90% probability -3.51%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected

Timeline

05 Jun 2014, 21:00
Published
Vulnerability first disclosed
06 Aug 2024, 09:05
Last Modified
Vulnerability information updated

Description

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

CVSS Metrics

  • v3.1HIGHScore: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
  • v2.0MEDIUMScore: 5.8AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 89.69% Percentile: 100%

Techniques & Countermeasures

  • CWE-326Inadequate Encryption Strength

    The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

Affected Systems

  • fedoraprojectfedora

    19 | 20

  • filezilla-projectfilezilla_server

    < 0.9.45

  • mariadbmariadb

    ≥ 10.0.0, < 10.0.13

  • nodejsnode.js

    < 0.10.29

  • UnknownOpenSSL

    < 0.9.8za | ≥ 1.0.0, < 1.0.0m | ≥ 1.0.1, < 1.0.1h

  • opensuseopensuse

    13.1 | 13.2

  • pythonpython

    ≥ 2.7.0, < 2.7.8 | ≥ 3.4.0, < 3.4.2

  • redhatenterprise_linux

    4 | 5 | 6.0

  • redhatjboss_enterprise_application_platform

    5.2.0 | 6.2.3

  • redhatjboss_enterprise_web_platform

    5.2.0

  • redhatjboss_enterprise_web_server

    2.0.1

  • redhatstorage

    2.1

  • siemensapplication_processing_engine_firmware

    < 2.0.2

  • siemenscp1543-1_firmware

    < 1.1.25

  • siemensrox_firmware

    < 1.16.1

  • siemenss7-1500_firmware

    < 1.6

References (303)