Security Bulletin
Summary
Multiple vulnerabilities in OpenSSL disclosed on August 6, 2014 by the OpenSSL Project, plus a vulnerability in the V8 JavaScript engine
Vulnerability Details
CVE-ID: CVE-2014-3512
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an internal buffer overrun. A remote attacker could exploit this vulnerability using invalid SRP parameters sent from a malicious server or client to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95158 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3509
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a race condition in the ssl_parse_serverhello_tlsext() code. If a multithreaded client connects to a malicious server using a resumed session, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95159 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3506
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when processing DTLS handshake messages. A remote attacker could exploit this vulnerability to consume an overly large amount of memory.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95160 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3507
DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending specially-crafted DTLS packets, a remote attacker could exploit this vulnerability to leak memory and cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95161 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3511
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by the negotiation of TLS 1.0 instead of higher protocol versions by the OpenSSL SSL/TLS server code when handling a badly fragmented ClientHello message. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to TLS 1.0.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95162 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-3505
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error when handling DTLS packets. A remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95163 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3510
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in anonymous ECDH ciphersuites. A remote attacker could exploit this vulnerability using a malicious handshake to cause the client to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95164 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-3508
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in OBJ_obj2txt. If applications echo pretty printing output, an attacker could exploit this vulnerability to read information from the stack.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95165 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-5139
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference when an SRP ciphersuite is specified without being properly negotiated with the client. A remote attacker could exploit this vulnerability to cause the client to crash.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95166 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2013-6668
DESCRIPTION: Unspecified error in V8 has an unknown impact and attack vector.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91516 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
IBM SDK for Node.js v1.1.0.6 and earlier
Remediation/Fixes
IBM SDK for Node.js v1.1.0.7 and later
IBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from here.
IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Change History
12 September 2014: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
08 August 2018
UID
swg21683389