DESCRIPTION (From cve.mitre.org)
CVE-2013-4353: A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. A malicious server could use this flaw to crash a connecting client. This issue only affected OpenSSL 1.0.1 versions.
CVE-2013-6449: A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2. This issue only affected OpenSSL 1.0.1 versions. OpenSSL is vulnerable to a denial of service, caused by an error in the ssl_get_algorithm2 function. A remote attacker could exploit this vulnerability using specially-crafted traffic from a TLS 1.2 client to cause the daemon to crash.
CVE-2013-6450: A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. This is not a vulnerability for OpenSSL prior to 1.0.0. OpenSSL is vulnerable to a denial of service, caused by the failure to properly maintain data structures for digest and encryption contexts by the DTLS retransmission implementation. A remote attacker could exploit this i vulnerability to cause the daemon to crash.
CVE(s): CVE-2013-4353, CVE-2013-6449, and CVE-2013-6450
Affected product(s) and affected version(s):
- AIX 7.1, 6.1, 5.3: all versions equal to 22.214.171.1240
- VIOS 2.X: all versions equal to 126.96.36.1990
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory6.asc
X-Force Database: http://xforce.iss.net/xforce/xfdb/90068
X-Force Database: http://xforce.iss.net/xforce/xfdb/90069
X-Force Database: http://xforce.iss.net/xforce/xfdb/90201