OpenSSL CVE-2014-0224 Weak Encryption Vulnerability

description-logoDescription

An attacker using a carefully crafted handshake can force the use of weakkeying material in OpenSSL SSL/TLS clients and servers. This can be exploitedby a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.The attack can only be performed between a vulnerable client *and*server. OpenSSL clients are vulnerable in all versions of OpenSSL. Serversare only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Usersof OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering andresearching this issue. This issue was reported to OpenSSL on 1st May2014 via JPCERT/CC.The fix was developed by Stephen Henson of the OpenSSL core team partly basedon an original patch from KIKUCHI Masashi.

affected-products-logoAffected Applications

OpenSSL

CVE References

CVE-2014-0224