Advisory ID: cisco-sa-20150310-ssl
Revision: 1.0
For Public Release 2015 March 10 16:00 UTC (GMT)
+-----------------------------
Summary
=======
Multiple Cisco products incorporate a version of the OpenSSL package
affected by one or more vulnerabilities that could allow an
unauthenticated, remote attacker to create a denial of service (DoS)
condition, or perform a man-in-the-middle attack.
On January 8, 2015, the OpenSSL Project released a security advisory
detailing eight distinct vulnerabilities. The vulnerabilities are
referenced in this document as follows:
CVE-2014-3571: OpenSSL DTLS Message Processing Denial of Service
Vulnerability
CVE-2015-0206: OpenSSL dtls1_buffer_record Function DTLS Message
Processing Denial of Service Vulnerability
CVE-2014-3569: OpenSSL no-ssl3 Option NULL Pointer Dereference
Vulnerability
CVE-2014-3572: OpenSSL Elliptic Curve Cryptographic Downgrade
Vulnerability
CVE-2015-0204: OpenSSL RSA Temporary Key Cryptographic Downgrade
Vulnerability
CVE-2015-0205: OpenSSL Diffie-Hellman Certificate Validation
Authentication Bypass Vulnerability
CVE-2014-8275: OpenSSL Certificate Fingerprint Validation
Vulnerability
CVE-2014-3570: OpenSSL BN_sql Function Incorrect Mathematical
Results Issue
This advisory will be updated as additional information becomes available.
Cisco will release free software updates that address these vulnerabilities.
Workarounds that mitigate these vulnerabilities may be available.
This advisory is available at the following link:
http://tools.cisco.com/
Komentarų nėra:
Rašyti komentarą