CVE-2014-0224

Published: 05 June 2014

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

Priority

CVSS 3 base score: 7.4

Status

Package	Release	Status
openssl Launchpad, Ubuntu, Debian	Upstream	Released (0.9.8za,1.0.1h)





	Ubuntu 14.04 ESM (Trusty Tahr)	Released (1.0.1f-1ubuntu2.2)
openssl098 Launchpad, Ubuntu, Debian	Upstream	Released (0.9.8za)





	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was released [0.9.8o-7ubuntu3.2.14.04.1])

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

CVE-2014-0224

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading