CVE-2014-0224

Publication date 5 June 2014

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

7.4 · High

Score breakdown

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.

Status

Package Ubuntu Release Status
openssl 14.04 LTS trusty
Fixed 1.0.1f-1ubuntu2.2
13.10 saucy
Fixed 1.0.1e-3ubuntu1.4
12.04 LTS precise
Fixed 1.0.1-4ubuntu5.14
10.04 LTS lucid
Fixed 0.9.8k-7ubuntu8.18
openssl098 14.04 LTS trusty
Fixed 0.9.8o-7ubuntu3.2.14.04.1
13.10 saucy
Fixed 0.9.8o-7ubuntu3.2.13.10.1
12.04 LTS precise
Fixed 0.9.8o-7ubuntu3.2
10.04 LTS lucid Not in release

Severity score breakdown

Parameter Value
Base score 7.4 · High
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Related Ubuntu Security Notices (USN)

Other references