CVE-2014-8275

Summary

CVE	CVE-2014-8275
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2015-01-09 02:59:00 UTC
Updated	2017-11-15 02:29:00 UTC
Description	OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, related to crypto/asn1/a_verify.c, crypto/dsa/dsa_asn1.c, crypto/ecdsa/ecs_vrf.c, and crypto/x509/x_all.c.

Risk And Classification

Problem Types: CWE-310

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Openssl	Openssl	1.0.0a	All	All	All
Application	Openssl	Openssl	1.0.0b	All	All	All
Application	Openssl	Openssl	1.0.0c	All	All	All
Application	Openssl	Openssl	1.0.0d	All	All	All
Application	Openssl	Openssl	1.0.0e	All	All	All
Application	Openssl	Openssl	1.0.0f	All	All	All
Application	Openssl	Openssl	1.0.0g	All	All	All
Application	Openssl	Openssl	1.0.0h	All	All	All
Application	Openssl	Openssl	1.0.0i	All	All	All
Application	Openssl	Openssl	1.0.0j	All	All	All
Application	Openssl	Openssl	1.0.0k	All	All	All
Application	Openssl	Openssl	1.0.0l	All	All	All
Application	Openssl	Openssl	1.0.0m	All	All	All
Application	Openssl	Openssl	1.0.0n	All	All	All
Application	Openssl	Openssl	1.0.0o	All	All	All
Application	Openssl	Openssl	1.0.1a	All	All	All
Application	Openssl	Openssl	1.0.1b	All	All	All
Application	Openssl	Openssl	1.0.1c	All	All	All
Application	Openssl	Openssl	1.0.1d	All	All	All
Application	Openssl	Openssl	1.0.1e	All	All	All
Application	Openssl	Openssl	1.0.1f	All	All	All
Application	Openssl	Openssl	1.0.1g	All	All	All
Application	Openssl	Openssl	1.0.1h	All	All	All
Application	Openssl	Openssl	1.0.1i	All	All	All
Application	Openssl	Openssl	1.0.1j	All	All	All
Application	Openssl	Openssl	All	All	All	All
Application	Openssl	Openssl	1.0.0a	All	All	All
Application	Openssl	Openssl	1.0.0b	All	All	All
Application	Openssl	Openssl	1.0.0c	All	All	All
Application	Openssl	Openssl	1.0.0d	All	All	All
Application	Openssl	Openssl	1.0.0e	All	All	All
Application	Openssl	Openssl	1.0.0f	All	All	All
Application	Openssl	Openssl	1.0.0g	All	All	All
Application	Openssl	Openssl	1.0.0h	All	All	All
Application	Openssl	Openssl	1.0.0i	All	All	All
Application	Openssl	Openssl	1.0.0j	All	All	All
Application	Openssl	Openssl	1.0.0k	All	All	All
Application	Openssl	Openssl	1.0.0l	All	All	All
Application	Openssl	Openssl	1.0.0m	All	All	All
Application	Openssl	Openssl	1.0.0n	All	All	All
Application	Openssl	Openssl	1.0.0o	All	All	All
Application	Openssl	Openssl	1.0.1a	All	All	All
Application	Openssl	Openssl	1.0.1b	All	All	All
Application	Openssl	Openssl	1.0.1c	All	All	All
Application	Openssl	Openssl	1.0.1d	All	All	All
Application	Openssl	Openssl	1.0.1e	All	All	All
Application	Openssl	Openssl	1.0.1f	All	All	All
Application	Openssl	Openssl	1.0.1g	All	All	All
Application	Openssl	Openssl	1.0.1h	All	All	All
Application	Openssl	Openssl	1.0.1i	All	All	All
Application	Openssl	Openssl	1.0.1j	All	All	All

References

Reference	Source	Link	Tags
[security-announce] SUSE-SU-2015:0946-1: important: Security update for	SUSE	lists.opensuse.org
Oracle Bulletin Board Update - January 2015	CONFIRM	www.oracle.com
[security-announce] openSUSE-SU-2015:0130-1: important: Security update	SUSE	lists.opensuse.org
Oracle Critical Patch Update - July 2016	CONFIRM	www.oracle.com
'[security bulletin] HPSBOV03318 rev.1 - HP SSL for OpenVMS, Remote Denial of Service (DoS) and other' - MARC	HP	marc.info
Red Hat Customer Portal	REDHAT	rhn.redhat.com
Oracle Critical Patch Update - October 2015	CONFIRM	www.oracle.com
Multiple Security Vulnerabilities in Citrix NetScaler Platform IPMI Lights Out Management (LOM) firmware	CONFIRM	support.citrix.com
Oracle Critical Patch Update - July 2015	CONFIRM	www.oracle.com
'[security bulletin] HPSBGN03299 rev.1 - HP IceWall SSO Dfw, SSO Certd, MCRP, and Federation Agent ru' - MARC	HP	marc.info
'[security bulletin] HPSBMU03409 rev.1 - HP Matrix Operating Environment, Multiple Vulnerabilities' - MARC	HP	marc.info
Juniper Networks - 2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory.	CONFIRM	kb.juniper.net
[security-announce] SUSE-SU-2015:0578-1: important: Security update for	SUSE	lists.opensuse.org
'[security bulletin] HPSBUX03162 SSRT101885 rev.1 - HP-UX Running OpenSSL, Remote Denial of Service (' - MARC	HP	marc.info
use correct function name · cb62ab4 · openssl/openssl · GitHub	CONFIRM	github.com
'[security bulletin] HPSBMU03396 rev.1 - HP Version Control Repository Manager (VCRM) on Windows and ' - MARC	HP	marc.info
McAfee KnowledgeBase - McAfee Security Bulletin - Firewall Enterprise update fixes 8 OpenSSL CVEs	CONFIRM	kc.mcafee.com
SA88 : OpenSSL Security Advisory 08-Jan-2015 \| Symantec	CONFIRM	bto.bluecoat.com
McAfee KnowledgeBase - McAfee Security Bulletin - FREAK OpenSSL Vulnerability	CONFIRM	kc.mcafee.com
APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004	APPLE	lists.apple.com
Debian -- Security Information -- DSA-3125-1 openssl	DEBIAN	www.debian.org
Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products	CISCO	tools.cisco.com
'[security bulletin] HPSBUX03244 SSRT101885 rev.2 - HP-UX Running OpenSSL, Remote Denial of Service (' - MARC	HP	marc.info
'[security bulletin] HPSBMU03397 rev.1 - HP Version Control Agent (VCA) on Windows and Linux, Multipl' - MARC	HP	marc.info
OpenSSL Certificate Fingerprints CVE-2014-8275 Local Security Bypass Vulnerability	BID	www.securityfocus.com
Support / Security / Advisories / / MDVSA-2015:062 \| Mandriva	MANDRIVA	www.mandriva.com
Fix various certificate fingerprint issues. · 684400c · openssl/openssl · GitHub	CONFIRM	github.com
Support / Security / Advisories / / MDVSA-2015:019 \| Mandriva	MANDRIVA	www.mandriva.com
www.openssl.org/news/secadv_20150108.txt	CONFIRM	www.openssl.org	Vendor Advisory
Oracle Critical Patch Update - April 2015	CONFIRM	www.oracle.com
[security-announce] openSUSE-SU-2015:1277-1: important: Security update	SUSE	lists.opensuse.org
[SECURITY] Fedora 20 Update: openssl-1.0.1e-41.fc20	FEDORA	lists.fedoraproject.org
[security-announce] openSUSE-SU-2016:0640-1: important: Security update	SUSE	lists.opensuse.org
'[security bulletin] HPSBMU03380 rev.1 - HP System Management Homepage (SMH) on Linux and Windows, Mu' - MARC	HP	marc.info
Red Hat Customer Portal	REDHAT	rhn.redhat.com
HP Version Control Repository Manager Multiple Flaws Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Conduct Cross-Site Request Forgery Attacks - SecurityTracker	SECTRACK	www.securitytracker.com
'[security bulletin] HPSBMU03413 rev.1 - HP Virtual Connect Enterprise Manager SDK, Multiple Vulnerab' - MARC	HP	marc.info
'[security bulletin] HPSBHF03289 rev.1- HP ThinClient PCs running ThinPro Linux, Remote Code Executio' - MARC	HP	marc.info
Oracle Critical Patch Update - October 2017	CONFIRM	www.oracle.com
About the security content of OS X Yosemite v10.10.3 and Security Update 2015-004 - Apple Support	CONFIRM	support.apple.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

390226 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2021-0011)
390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)