Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0127
OpenSSL Vulnerabilities (20141015) Affect Tenable Products
10 November 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tenable SecurityCenter
Tenable Appliance
Operating System: Linux variants
Network Appliance
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-3567 CVE-2014-3513
Member content until: Wednesday, December 10 2014
Reference: ESB-2014.2072
ESB-2014.2054
ESB-2014.2031
ESB-2014.1997
ESB-2014.2009.2
OVERVIEW
Two vulnerabilities in OpenSSL affect Tenable's SecurityCenter
version 4.6.2.2, 4.7.0, 4.7.1, 4.8.0 and 4.8.1 and Tenable Appliance
2.4.1, 2.6.1, 2.6.2, 2.8.0 and 2.8.1.[1]
IMPACT
The vendor has provided the following details regarding the
vulnerability:
CVE-2014-3513: "OpenSSL contains a flaw in the DTLS SRTP extension
parsing code that is triggered when handling a specially crafted
handshake message, which can cause a memory leak. This may allow a
remote attacker to cause a denial of service".[1]
CVE-2014-3567: "OpenSSL contains a flaw in the SSL, TLS, and DTLS
servers that is triggered when handling a session ticket that has
failed to have its integrity properly verified, which can result in
a memory leak. With a large number of invalid session tickets, a
remote attacker can cause a denial of service".[1]
MITIGATION
The vendor advises a patch has been released for all supported
versions of SecurityCenter.[1]
REFERENCES
[1] [R2] OpenSSL Vulnerabilities (20141015) Affect Tenable Products
http://www.tenable.com/security/tns-2014-11
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVGAWGRLndAQH1ShLAQJMEA/+NLbZM69ArOHQPrd3PNLU3aQ+D9HLFsc8
AYdC8hT6FoSqt2Z+0FGoiYCtm/S3umFBiSfNB0Q6w703z32UECYPBPGVtvXweDgY
a9ukq9baVcyh66llStI6DA72WGG+PbXXO9vs5Clfskv9Q6DqVYIfEyWusP9nUPnb
0JNS2jEaHHDta0MmCXUPNNCZPXxn9GfGskwBqtuSeDxHEfjLEml8n0b3r481syiy
I1LwTgPSc/82g/I4Yt5KbK2SoRHv09nLx42iYNKAmBMZ0LqCeUhlnFrnojtxImgj
JeNTedtEWVSeo6n5n1txUaKZY4eQXUU0amgIM4zFIMMBUQjLhMrbmXfa7DBgaPp/
EhuuR//6fkJl9ZzUYhOUEN+r2w3WYPjpZ+MvwC0j2Ip5kcwCbqiO9wMoVFvRwo7G
NPoC6CvHNgCccwh38SS+mk445UIIIwPSOrnH176F/zNePlr2+LOEPsUSWleauNfr
oxkUl3vqshfUrlOCq0b0Ry/HJHR6mETwoQXs8UskCffxTybiMpHQ1QvwVAvXIqtG
uflbUeOHxMuwJjBD+VxIofNn5BQS0DCCb8NW2eBwRt+TJihQNjvvCqNgWXv4XsBd
ZG0kdJ3jT4vluG2uwblmceT32NPDtw5E+hvUSIctnnaVB6Ud+j8xW2Ya8dwf3BVI
7cCvzWtujJ8=
=UoPq
-----END PGP SIGNATURE-----