Vulnerability Details : CVE-2013-4353
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2013-4353
- cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4353
42.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4353
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2013-4353
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4353
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
[SECURITY] Fedora 20 Update: openssl-1.0.1e-39.fc20
-
http://www.openssl.org/news/vulnerabilities.html
/news/vulnerabilities.htmlVendor Advisory
-
http://www-01.ibm.com/support/docview.wss?uid=isg400001841
IBM Tivoli Composite Application Manager for Transactions Internet Service Monitoring 7.4 Interim Fix 13 README Tivoli Composite Application Manager for Transactions 7.4.0.0 7.4.0.0-TIV-CAMIS-IF0013 R
-
http://www.debian.org/security/2014/dsa-2837
Debian -- Security Information -- DSA-2837-1 openssl
-
http://www.splunk.com/view/SP-CAAAMB3
Splunk 6.0.3 addresses two vulnerabilities - April 10, 2014 | Splunk
-
http://rhn.redhat.com/errata/RHSA-2014-0015.html
RHSA-2014:0015 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2014-0041.html
RHSA-2014:0041 - Security Advisory - Red Hat Customer Portal
-
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=blob_plain%3Bf=CHANGES%3Bhb=refs/heads/OpenSSL_1_0_1-stable
404 Not Found
-
http://www.ubuntu.com/usn/USN-2079-1
USN-2079-1: OpenSSL vulnerabilities | Ubuntu security notices
-
https://bugzilla.redhat.com/show_bug.cgi?id=1049058
1049058 – (CVE-2013-4353) CVE-2013-4353 openssl: client NULL dereference crash on malformed handshake packets
-
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
[SECURITY] Fedora 19 Update: openssl-1.0.1e-39.fc19
-
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=197e0ea817ad64820789d86711d55ff50d71f631
404 Not Found
-
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=197e0ea817ad64820789d86711d55ff50d71f631
git.openssl.org Git - openssl.git/commit
-
http://lists.opensuse.org/opensuse-updates/2014-01/msg00067.html
openSUSE-SU-2014:0096-1: moderate: update for openssl
-
http://www-01.ibm.com/support/docview.wss?uid=isg400001843
IBM Tivoli Composite Application Manager for Transactions Internet Service Monitoring 7.3.0.1 Interim Fix 29 README Tivoli Composite Application Manager for Transactions 7.3.0.1 7.3.0.1-TIV-CAMIS-IF00
-
http://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=CHANGES;hb=refs/heads/OpenSSL_1_0_1-stable
Vendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2014-01/msg00070.html
openSUSE-SU-2014:0099-1: moderate: update for openssl
-
http://lists.opensuse.org/opensuse-updates/2014-01/msg00065.html
openSUSE-SU-2014:0094-1: moderate: update for openssl
Jump to