CVE-2014-3509

Summary

CVE	CVE-2014-3509
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2014-08-13 23:55:00 UTC
Updated	2023-11-07 02:20:00 UTC
Description	Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.

Risk And Classification

Problem Types: CWE-362

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Openssl	Openssl	1.0.0	All	All	All
Application	Openssl	Openssl	1.0.0	beta1	All	All
Application	Openssl	Openssl	1.0.0	beta2	All	All
Application	Openssl	Openssl	1.0.0	beta3	All	All
Application	Openssl	Openssl	1.0.0	beta4	All	All
Application	Openssl	Openssl	1.0.0	beta5	All	All
Application	Openssl	Openssl	1.0.0a	All	All	All
Application	Openssl	Openssl	1.0.0b	All	All	All
Application	Openssl	Openssl	1.0.0c	All	All	All
Application	Openssl	Openssl	1.0.0d	All	All	All
Application	Openssl	Openssl	1.0.0e	All	All	All
Application	Openssl	Openssl	1.0.0f	All	All	All
Application	Openssl	Openssl	1.0.0g	All	All	All
Application	Openssl	Openssl	1.0.0h	All	All	All
Application	Openssl	Openssl	1.0.0i	All	All	All
Application	Openssl	Openssl	1.0.0j	All	All	All
Application	Openssl	Openssl	1.0.0k	All	All	All
Application	Openssl	Openssl	1.0.0l	All	All	All
Application	Openssl	Openssl	1.0.0m	All	All	All
Application	Openssl	Openssl	1.0.1	All	All	All
Application	Openssl	Openssl	1.0.1	beta1	All	All
Application	Openssl	Openssl	1.0.1	beta2	All	All
Application	Openssl	Openssl	1.0.1	beta3	All	All
Application	Openssl	Openssl	1.0.1a	All	All	All
Application	Openssl	Openssl	1.0.1b	All	All	All
Application	Openssl	Openssl	1.0.1c	All	All	All
Application	Openssl	Openssl	1.0.1d	All	All	All
Application	Openssl	Openssl	1.0.1e	All	All	All
Application	Openssl	Openssl	1.0.1f	All	All	All
Application	Openssl	Openssl	1.0.1g	All	All	All
Application	Openssl	Openssl	1.0.1h	All	All	All
Application	Openssl	Openssl	1.0.0	All	All	All
Application	Openssl	Openssl	1.0.0	beta1	All	All
Application	Openssl	Openssl	1.0.0	beta2	All	All
Application	Openssl	Openssl	1.0.0	beta3	All	All
Application	Openssl	Openssl	1.0.0	beta4	All	All
Application	Openssl	Openssl	1.0.0	beta5	All	All
Application	Openssl	Openssl	1.0.0a	All	All	All
Application	Openssl	Openssl	1.0.0b	All	All	All
Application	Openssl	Openssl	1.0.0c	All	All	All
Application	Openssl	Openssl	1.0.0d	All	All	All
Application	Openssl	Openssl	1.0.0e	All	All	All
Application	Openssl	Openssl	1.0.0f	All	All	All
Application	Openssl	Openssl	1.0.0g	All	All	All
Application	Openssl	Openssl	1.0.0h	All	All	All
Application	Openssl	Openssl	1.0.0i	All	All	All
Application	Openssl	Openssl	1.0.0j	All	All	All
Application	Openssl	Openssl	1.0.0k	All	All	All
Application	Openssl	Openssl	1.0.0l	All	All	All
Application	Openssl	Openssl	1.0.0m	All	All	All
Application	Openssl	Openssl	1.0.1	All	All	All
Application	Openssl	Openssl	1.0.1	beta1	All	All
Application	Openssl	Openssl	1.0.1	beta2	All	All
Application	Openssl	Openssl	1.0.1	beta3	All	All
Application	Openssl	Openssl	1.0.1a	All	All	All
Application	Openssl	Openssl	1.0.1b	All	All	All
Application	Openssl	Openssl	1.0.1c	All	All	All
Application	Openssl	Openssl	1.0.1d	All	All	All
Application	Openssl	Openssl	1.0.1e	All	All	All
Application	Openssl	Openssl	1.0.1f	All	All	All
Application	Openssl	Openssl	1.0.1g	All	All	All
Application	Openssl	Openssl	1.0.1h	All	All	All

References

Reference	Source	Link	Tags
About Secunia Research \| Flexera	SECUNIA	secunia.com
'[security bulletin] HPSBHF03293 rev.1 - HP Virtual Connect 8Gb 24-Port FC Module running OpenSSL and' - MARC	HP	marc.info
'[security bulletin] HPSBMU03267 rev.1 - HP Matrix Operating Environment and HP CloudSystem Matrix ru' - MARC	HP	marc.info
'[security bulletin] HPSBMU03263 rev.3 - HP Insight Control running OpenSSL, Remote Disclosure of Inf' - MARC	HP	marc.info
www.openssl.org/news/secadv_20140806.txt	CONFIRM	www.openssl.org	Vendor Advisory
About Secunia Research \| Flexera	SECUNIA	secunia.com
About Secunia Research \| Flexera	SECUNIA	secunia.com
'[security bulletin] HPSBMU03216 rev.2 - HP Service Manager running SSLv3, Multiple Remote Vulnerabil' - MARC	HP	marc.info
Security Bulletin: Multiple Vulnerabilities in Current Release of IBM® SDK for Node.js™	CONFIRM	www-01.ibm.com
Security Advisory-9 OpenSSL Vulnerabilities on Huawei products - Huawei PSIRT	CONFIRM	www.huawei.com
[SECURITY] Fedora 19 Update: openssl-1.0.1e-39.fc19	FEDORA	lists.fedoraproject.org
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com
Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware	CONFIRM	support.citrix.com
Security Advisory SA61184 - IBM SDK for Node.js Multiple Vulnerabilities - Secunia	SECUNIA	secunia.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com
IBM Security Bulletin: - United States	CONFIRM	www-01.ibm.com
Security Advisory SA61100 - syslog-ng Premium Edition OpenSSL Multiple Vulnerabilities - Secunia	SECUNIA	secunia.com
Security Advisory SA60221 - SUSE update for openssl - Secunia	SECUNIA	secunia.com
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com
OpenSSL Bugs Let Remote Users Deny Service, Obtain Information, and Potentially Execute Arbitrary Code - SecurityTracker	SECTRACK	www.securitytracker.com
git.openssl.org Git - openssl.git/commit	CONFIRM	git.openssl.org
www.mandriva.com	MANDRIVA	www.mandriva.com
NetBSD-SA2014-008	NETBSD	ftp.netbsd.org
OpenSSL: Multiple vulnerabilities (GLSA 201412-39) — Gentoo Security	GENTOO	security.gentoo.org
Security Advisory SA61775 - Huawei Multiple Products Multiple OpenSSL Vulnerabilities - Secunia	SECUNIA	secunia.com
Debian -- Security Information -- DSA-2998-1 openssl	DEBIAN	www.debian.org
About Secunia Research \| Flexera	SECUNIA	secunia.com
OpenSSL Vulnerabilities related to Version 1.0.1i \| Techzone	CONFIRM	techzone.ergon.ch
linux.oracle.com \| ELSA-2014-1052	CONFIRM	linux.oracle.com
git.openssl.org Git - openssl.git/commit		git.openssl.org
About Secunia Research \| Flexera	SECUNIA	secunia.com
IBM notice: The page you requested cannot be displayed	CONFIRM	www-01.ibm.com
About Secunia Research \| Flexera	SECUNIA	secunia.com
FreeBSD-SA-14:18	FREEBSD	www.freebsd.org
[syslog-ng-announce] syslog-ng Premium Edition 5 LTS (5.0.6a) has been released	MLIST	lists.balabit.hu
Security Advisory SA61959 - IBM Tivoli Management Framework Multiple Vulnerabilities - Secunia	SECUNIA	secunia.com
About Secunia Research \| Flexera	SECUNIA	secunia.com
Security Advisory SA60493 - IBM i OpenSSL Multiple Vulnerabilities - Secunia	SECUNIA	secunia.com
About Secunia Research \| Flexera	SECUNIA	secunia.com
About Secunia Research \| Flexera	SECUNIA	secunia.com
IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Composite Application Manager for Transactions (CVE-2014-3508, CVE-2014-5139, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512 - United States	CONFIRM	www-01.ibm.com
Security Advisory SA60938 - NetBSD update for openssl - Secunia	SECUNIA	secunia.com
About Secunia Research \| Flexera	SECUNIA	secunia.com
'[security bulletin] HPSBMU03304 rev.1 - HP Insight Control server deployment on Linux and Windows, R' - MARC	HP	marc.info
Security Advisory SA60803 - SUSE update for openssl1 - Secunia	SECUNIA	secunia.com
aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc	CONFIRM	aix.software.ibm.com
OpenSSL CVE-2014-3509 Remote Denial of Service Vulnerability	BID	www.securityfocus.com
openSUSE-SU-2014:1052-1: moderate: update for openssl	SUSE	lists.opensuse.org
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com
[SECURITY] Fedora 20 Update: openssl-1.0.1e-39.fc20	FEDORA	lists.fedoraproject.org
'[security bulletin] HPSBMU03260 rev.1 - HP System Management Homepage running OpenSSL on Linux and W' - MARC	HP	marc.info
1127498 – (CVE-2014-3509) CVE-2014-3509 openssl: race condition in ssl_parse_serverhello_tlsext	CONFIRM	bugzilla.redhat.com
'[security bulletin] HPSBMU03261 rev.2 - HP Systems Insight Manager running OpenSSL on Linux and Wind' - MARC	HP	marc.info
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

390226 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2021-0011)
390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)
591311 Bosch Rexroth PRA-ES8P2S Ethernet-Switch Multiple Vulnerabilities (BOSCH-SA-247053-BT)