-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0127
        OpenSSL Vulnerabilities (20141015) Affect Tenable Products
                             10 November 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Tenable SecurityCenter
                      Tenable Appliance
Operating System:     Linux variants
                      Network Appliance
Impact/Access:        Denial of Service -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-3567 CVE-2014-3513 
Member content until: Wednesday, December 10 2014
Reference:            ESB-2014.2072
                      ESB-2014.2054
                      ESB-2014.2031
                      ESB-2014.1997
                      ESB-2014.2009.2

OVERVIEW

        Two vulnerabilities in OpenSSL affect Tenable's SecurityCenter 
        version 4.6.2.2, 4.7.0, 4.7.1, 4.8.0 and 4.8.1 and Tenable Appliance
        2.4.1, 2.6.1, 2.6.2, 2.8.0 and 2.8.1.[1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerability:
        
        CVE-2014-3513: "OpenSSL contains a flaw in the DTLS SRTP extension 
        parsing code that is triggered when handling a specially crafted 
        handshake message, which can cause a memory leak. This may allow a 
        remote attacker to cause a denial of service".[1]
        
        CVE-2014-3567: "OpenSSL contains a flaw in the SSL, TLS, and DTLS 
        servers that is triggered when handling a session ticket that has 
        failed to have its integrity properly verified, which can result in
        a memory leak. With a large number of invalid session tickets, a 
        remote attacker can cause a denial of service".[1]


MITIGATION

        The vendor advises a patch has been released for all supported 
        versions of SecurityCenter.[1]


REFERENCES

        [1] [R2] OpenSSL Vulnerabilities (20141015) Affect Tenable Products
            http://www.tenable.com/security/tns-2014-11

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVGAWGRLndAQH1ShLAQJMEA/+NLbZM69ArOHQPrd3PNLU3aQ+D9HLFsc8
AYdC8hT6FoSqt2Z+0FGoiYCtm/S3umFBiSfNB0Q6w703z32UECYPBPGVtvXweDgY
a9ukq9baVcyh66llStI6DA72WGG+PbXXO9vs5Clfskv9Q6DqVYIfEyWusP9nUPnb
0JNS2jEaHHDta0MmCXUPNNCZPXxn9GfGskwBqtuSeDxHEfjLEml8n0b3r481syiy
I1LwTgPSc/82g/I4Yt5KbK2SoRHv09nLx42iYNKAmBMZ0LqCeUhlnFrnojtxImgj
JeNTedtEWVSeo6n5n1txUaKZY4eQXUU0amgIM4zFIMMBUQjLhMrbmXfa7DBgaPp/
EhuuR//6fkJl9ZzUYhOUEN+r2w3WYPjpZ+MvwC0j2Ip5kcwCbqiO9wMoVFvRwo7G
NPoC6CvHNgCccwh38SS+mk445UIIIwPSOrnH176F/zNePlr2+LOEPsUSWleauNfr
oxkUl3vqshfUrlOCq0b0Ry/HJHR6mETwoQXs8UskCffxTybiMpHQ1QvwVAvXIqtG
uflbUeOHxMuwJjBD+VxIofNn5BQS0DCCb8NW2eBwRt+TJihQNjvvCqNgWXv4XsBd
ZG0kdJ3jT4vluG2uwblmceT32NPDtw5E+hvUSIctnnaVB6Ud+j8xW2Ya8dwf3BVI
7cCvzWtujJ8=
=UoPq
-----END PGP SIGNATURE-----