製品・ソフトウェアに関する情報

JVN脆弱性詳細

OpenSSL の SRP の実装の crypto/srp/srp_lib.c におけるバッファオーバーフローの脆弱性

Title	OpenSSL の SRP の実装の crypto/srp/srp_lib.c におけるバッファオーバーフローの脆弱性
Summary	OpenSSL の SRP の実装の crypto/srp/srp_lib.c には、バッファオーバーフローの脆弱性が存在します。
Possible impacts	第三者により、無効な SRP の (1) g、(2) A、または (3) B パラメータを介して、サービス運用妨害 (アプリケーションクラッシュ) 状態にされるなど、不特定の影響を受ける可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 6, 2014, midnight
Registration Date	Aug. 15, 2014, 5:28 p.m.
Last Update	June 15, 2015, 6:17 p.m.

CVSS2.0 : 危険
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected System

ヒューレット・パッカード

HP Virtual Connect 8Gb 24ポートファイバーチャネルモジュール 3.00 未満 (VC (バーチャルコネクト) 4.40 未満)

OpenSSL Project

OpenSSL 1.0.1 以上 1.0.1i 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-3512	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3512
National Vulnerability Database (NVD)
2	CVE-2014-3512	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3512

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
HP Security Bulletin
1	HPSBHF03293	http://marc.info/?l=bugtraq&m=142660345230545&w=2
IBM Support Document
2	1682293	http://www-01.ibm.com/support/docview.wss?uid=swg21682293
3	1686997	http://www-01.ibm.com/support/docview.wss?uid=swg21686997
OpenSSL
4	Fix SRP buffer overrun vulnerability.	https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4a23b12a031860253b58d503f296377ca076427b
OpenSSL Security Advisory
5	SRP buffer overrun (CVE-2014-3512)	http://www.openssl.org/news/secadv_20140806.txt
Security Advisory
6	Huawei-SA-20141008-OpenSSL	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm
Tenable Network Security
7	[R1] OpenSSL Protocol Downgrade Vulnerability Affects Tenable Products	http://www.tenable.com/security/tns-2014-06

Change Log

No	Changed Details	Date of change
0	[2014年08月15日] 掲載 [2014年09月17日] ベンダ情報：Tenable Network Security ([R1] OpenSSL Protocol Downgrade Vulnerability Affects Tenable Products) を追加 [2014年11月26日] ベンダ情報：Huawei (Huawei-SA-20141008-OpenSSL) を追加ベンダ情報：IBM (1686997) を追加 [2014年11月28日] ベンダ情報：IBM (1682293) を追加 [2015年06月15日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：ヒューレット・パッカード (HPSBHF03293) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-3512

Summary	Multiple buffer overflows in crypto/srp/srp_lib.c in the SRP implementation in OpenSSL 1.0.1 before 1.0.1i allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid SRP (1) g, (2) A, or (3) B parameter.
Publication Date	Aug. 14, 2014, 8:55 a.m.
Registration Date	Jan. 26, 2021, 3:10 p.m.
Last Update	Nov. 21, 2024, 11:08 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:openssl:openssl:1.0.1:beta2::::::
cpe:2.3:a:openssl:openssl:1.0.0c:::::::*
cpe:2.3:a:openssl:openssl:1.0.0i:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta1::::::
cpe:2.3:a:openssl:openssl:1.0.1h:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta2::::::
cpe:2.3:a:openssl:openssl:1.0.0m:::::::*
cpe:2.3:a:openssl:openssl:1.0.1c:::::::*
cpe:2.3:a:openssl:openssl:1.0.1g:::::::*
cpe:2.3:a:openssl:openssl:1.0.0h:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta3::::::
cpe:2.3:a:openssl:openssl:1.0.0e:::::::*
cpe:2.3:a:openssl:openssl:1.0.1:beta3::::::
cpe:2.3:a:openssl:openssl:1.0.0f:::::::*
cpe:2.3:a:openssl:openssl:1.0.0d:::::::*
cpe:2.3:a:openssl:openssl:1.0.0j:::::::*
cpe:2.3:a:openssl:openssl:1.0.1a:::::::*
cpe:2.3:a:openssl:openssl:1.0.1:beta1::::::
cpe:2.3:a:openssl:openssl:1.0.1d:::::::*
cpe:2.3:a:openssl:openssl:1.0.0k:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta4::::::
cpe:2.3:a:openssl:openssl:1.0.0:::::::*
cpe:2.3:a:openssl:openssl:1.0.1b:::::::*
cpe:2.3:a:openssl:openssl:1.0.1e:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta5::::::
cpe:2.3:a:openssl:openssl:1.0.1f:::::::*
cpe:2.3:a:openssl:openssl:1.0.0l:::::::*
cpe:2.3:a:openssl:openssl:1.0.0a:::::::*
cpe:2.3:a:openssl:openssl:1.0.0b:::::::*
cpe:2.3:a:openssl:openssl:1.0.1:::::::*
cpe:2.3:a:openssl:openssl:1.0.0g:::::::*

Related information, measures and tools

No	URL	タグ
1	ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc
2	ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc
3	http://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc
4	http://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc
5	http://lists.opensuse.org/opensuse-updates/2014-08/msg00036.html
6	http://lists.opensuse.org/opensuse-updates/2014-08/msg00036.html
7	http://marc.info/?l=bugtraq&m=142660345230545&w=2
8	http://marc.info/?l=bugtraq&m=142660345230545&w=2
9	http://marc.info/?l=bugtraq&m=142660345230545&w=2
10	http://marc.info/?l=bugtraq&m=142660345230545&w=2
11	http://secunia.com/advisories/59700
12	http://secunia.com/advisories/59700
13	http://secunia.com/advisories/59710
14	http://secunia.com/advisories/59710
15	http://secunia.com/advisories/59756
16	http://secunia.com/advisories/59756
17	http://secunia.com/advisories/60022
18	http://secunia.com/advisories/60022
19	http://secunia.com/advisories/60221
20	http://secunia.com/advisories/60221
21	http://secunia.com/advisories/60493
22	http://secunia.com/advisories/60493
23	http://secunia.com/advisories/60803
24	http://secunia.com/advisories/60803
25	http://secunia.com/advisories/60810
26	http://secunia.com/advisories/60810
27	http://secunia.com/advisories/60917
28	http://secunia.com/advisories/60917
29	http://secunia.com/advisories/60921
30	http://secunia.com/advisories/60921
31	http://secunia.com/advisories/61017
32	http://secunia.com/advisories/61017
33	http://secunia.com/advisories/61100
34	http://secunia.com/advisories/61100
35	http://secunia.com/advisories/61171
36	http://secunia.com/advisories/61171
37	http://secunia.com/advisories/61184
38	http://secunia.com/advisories/61184
39	http://secunia.com/advisories/61775
40	http://secunia.com/advisories/61775
41	http://secunia.com/advisories/61959
42	http://secunia.com/advisories/61959
43	http://security.gentoo.org/glsa/glsa-201412-39.xml
44	http://security.gentoo.org/glsa/glsa-201412-39.xml
45	http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15565.html
46	http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15565.html
47	http://www.debian.org/security/2014/dsa-2998
48	http://www.debian.org/security/2014/dsa-2998
49	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm
50	http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm
51	http://www.securityfocus.com/bid/69083
52	http://www.securityfocus.com/bid/69083
53	http://www.securitytracker.com/id/1030693
54	http://www.securitytracker.com/id/1030693
55	http://www.tenable.com/security/tns-2014-06
56	http://www.tenable.com/security/tns-2014-06
57	http://www-01.ibm.com/support/docview.wss?uid=nas8N1020240
58	http://www-01.ibm.com/support/docview.wss?uid=nas8N1020240
59	http://www-01.ibm.com/support/docview.wss?uid=swg21682293
60	http://www-01.ibm.com/support/docview.wss?uid=swg21682293
61	http://www-01.ibm.com/support/docview.wss?uid=swg21683389
62	http://www-01.ibm.com/support/docview.wss?uid=swg21683389
63	http://www-01.ibm.com/support/docview.wss?uid=swg21686997
64	http://www-01.ibm.com/support/docview.wss?uid=swg21686997
65	https://exchange.xforce.ibmcloud.com/vulnerabilities/95158
66	https://exchange.xforce.ibmcloud.com/vulnerabilities/95158
67	https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=4a23b12a031860253b58d503f296377ca076427b
68	https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=4a23b12a031860253b58d503f296377ca076427b
69	https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-September/000196.html
70	https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-September/000196.html
71	https://www.freebsd.org/security/advisories/FreeBSD-SA-14:18.openssl.asc
72	https://www.freebsd.org/security/advisories/FreeBSD-SA-14:18.openssl.asc
73	https://www.openssl.org/news/secadv_20140806.txt	Vendor Advisory
74	https://www.openssl.org/news/secadv_20140806.txt	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:openssl:openssl:1.0.1:beta2::::::
cpe:2.3:a:openssl:openssl:1.0.0c:::::::*
cpe:2.3:a:openssl:openssl:1.0.0i:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta1::::::
cpe:2.3:a:openssl:openssl:1.0.1h:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta2::::::
cpe:2.3:a:openssl:openssl:1.0.0m:::::::*
cpe:2.3:a:openssl:openssl:1.0.1c:::::::*
cpe:2.3:a:openssl:openssl:1.0.1g:::::::*
cpe:2.3:a:openssl:openssl:1.0.0h:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta3::::::
cpe:2.3:a:openssl:openssl:1.0.0e:::::::*
cpe:2.3:a:openssl:openssl:1.0.1:beta3::::::
cpe:2.3:a:openssl:openssl:1.0.0f:::::::*
cpe:2.3:a:openssl:openssl:1.0.0d:::::::*
cpe:2.3:a:openssl:openssl:1.0.0j:::::::*
cpe:2.3:a:openssl:openssl:1.0.1a:::::::*
cpe:2.3:a:openssl:openssl:1.0.1:beta1::::::
cpe:2.3:a:openssl:openssl:1.0.1d:::::::*
cpe:2.3:a:openssl:openssl:1.0.0k:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta4::::::
cpe:2.3:a:openssl:openssl:1.0.0:::::::*
cpe:2.3:a:openssl:openssl:1.0.1b:::::::*
cpe:2.3:a:openssl:openssl:1.0.1e:::::::*
cpe:2.3:a:openssl:openssl:1.0.0:beta5::::::
cpe:2.3:a:openssl:openssl:1.0.1f:::::::*
cpe:2.3:a:openssl:openssl:1.0.0l:::::::*
cpe:2.3:a:openssl:openssl:1.0.0a:::::::*
cpe:2.3:a:openssl:openssl:1.0.0b:::::::*
cpe:2.3:a:openssl:openssl:1.0.1:::::::*
cpe:2.3:a:openssl:openssl:1.0.0g:::::::*