CVE-2014-0224

Published: 05 June 2014

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

Priority

CVSS 3 base score: 7.4

Status

Package	Release	Status
openssl Launchpad, Ubuntu, Debian	Upstream	Released (0.9.8za,1.0.1h)






	Ubuntu 14.04 ESM (Trusty Tahr)	Released (1.0.1f-1ubuntu2.2)
openssl098 Launchpad, Ubuntu, Debian	Upstream	Released (0.9.8za)






	Ubuntu 14.04 ESM (Trusty Tahr)	Does not exist (trusty was released [0.9.8o-7ubuntu3.2.14.04.1])

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

CVE-2014-0224

Medium

Status

References

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading