Advisory ID: cisco-sa-20140605-openssl
Revision 1.0
For Public Release 2014 June 5 22:00 UTC (GMT)
Summary
=======
Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to execute arbitrary code, create a denial of service (DoS) condition, or preform a man-in-the-middle attack. On June 5, 2014 the OpenSSL Project released a security advisory detailing seven distinct vulnerabilities. The vulnerabilities are referenced in this document as follows:
SSL/TLS Man-in-the-Middle Vulnerability
DTLS Recursion Flaw Vulnerability
DTLS Invalid Fragment Vulnerability
SSL_MODE_RELEASE_BUFFERS NULL Pointer Dereference Vulnerability
SSL_MODE_RELEASE_BUFFERS Session Injection or Denial of Service Vulnerability
Anonymous ECDH Denial of Service Vulnerability
ECDSA NONCE Side-Channel Recovery Attack Vulnerability
Please note that the devices that are affected by this vulnerability are the devices acting as an Secure Socket Layer (SSL) or Datagram Transport Layer Security (DTLS) server terminating SSL or DTLS connections or devices acting as an SSL client initiating an SSL or DTLS connection. Devices that are simply traversed by SSL or DTLS traffic without terminating it are not affected.
This advisory will be updated as additional information becomes available.
Cisco will release free software updates that address these vulnerabilities.
Workarounds that mitigate these vulnerabilities may be available.
This advisory is available at the following link:
http://tools.cisco.com/
Komentarų nėra:
Rašyti komentarą