Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2014-3469 | First vendor Publication | 2014-06-05 |
Vendor | Cve | Last vendor Modification | 2024-11-21 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The (1) asn1_read_value_type and (2) asn1_read_value functions in GNU Libtasn1 before 3.6 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via a NULL value in an ivalue argument. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3469 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-476 | NULL Pointer Dereference |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:23897 | |||
Oval ID: | oval:org.mitre.oval:def:23897 | ||
Title: | RHSA-2014:0596: libtasn1 security update (Moderate) | ||
Description: | The libtasn1 library provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. All libtasn1 users are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the libtasn1 library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0596-00 CESA-2014:0596 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | libtasn1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24517 | |||
Oval ID: | oval:org.mitre.oval:def:24517 | ||
Title: | ELSA-2014:0594: gnutls security update (Important) | ||
Description: | The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0594-00 CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24734 | |||
Oval ID: | oval:org.mitre.oval:def:24734 | ||
Title: | RHSA-2014:0594: gnutls security update (Important) | ||
Description: | The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. A flaw was found in the way GnuTLS parsed session IDs from ServerHello messages of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session ID value, which would trigger a buffer overflow in a connecting TLS/SSL client application using GnuTLS, causing the client application to crash or, possibly, execute arbitrary code. (CVE-2014-3466) It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. Upstream acknowledges Joonas Kuorilehto of Codenomicon as the original reporter of CVE-2014-3466. Users of GnuTLS are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0594-00 CESA-2014:0594 CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25168 | |||
Oval ID: | oval:org.mitre.oval:def:25168 | ||
Title: | ELSA-2014:0596: libtasn1 security update (Moderate) | ||
Description: | The libtasn1 library provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. All libtasn1 users are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the libtasn1 library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0596-00 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | libtasn1 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25259 | |||
Oval ID: | oval:org.mitre.oval:def:25259 | ||
Title: | RHSA-2014:0687: libtasn1 security update (Moderate) | ||
Description: | The libtasn1 library provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. It was discovered that the asn1_get_bit_der() function of the libtasn1 library incorrectly reported the length of ASN.1-encoded data. Specially crafted ASN.1 input could cause an application using libtasn1 to perform an out-of-bounds access operation, causing the application to crash or, possibly, execute arbitrary code. (CVE-2014-3468) Multiple incorrect buffer boundary check issues were discovered in libtasn1. Specially crafted ASN.1 input could cause an application using libtasn1 to crash. (CVE-2014-3467) Multiple NULL pointer dereference flaws were found in libtasn1's asn1_read_value() function. Specially crafted ASN.1 input could cause an application using libtasn1 to crash, if the application used the aforementioned function in a certain way. (CVE-2014-3469) Red Hat would like to thank GnuTLS upstream for reporting these issues. All libtasn1 users are advised to upgrade to these updated packages, which correct these issues. For the update to take effect, all applications linked to the libtasn1 library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0687-00 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 7 CentOS Linux 7 | Product(s): | libtasn1 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25314 | |||
Oval ID: | oval:org.mitre.oval:def:25314 | ||
Title: | SUSE-SU-2014:0758-1 -- Security update for gnutls | ||
Description: | GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally, three issues inherited from libtasn1 have been fixed. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0758-1 CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26079 | |||
Oval ID: | oval:org.mitre.oval:def:26079 | ||
Title: | USN-2294-1 -- libtasn1-3, libtasn1-6 vulnerabilities | ||
Description: | Libtasn1 could be made to crash or run programs as your login if it processed specially crafted data. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2294-1 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 3 |
Platform(s): | Ubuntu 14.04 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | libtasn1-6 libtasn1-3 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26125 | |||
Oval ID: | oval:org.mitre.oval:def:26125 | ||
Title: | SUSE-SU-2014:0788-1 -- Security update for GnuTLS | ||
Description: | GnuTLS was patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 were fixed. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0788-1 CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | GnuTLS |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26142 | |||
Oval ID: | oval:org.mitre.oval:def:26142 | ||
Title: | SUSE-SU-2014:0931-1 -- Security update for libtasn1 | ||
Description: | libtasn1 has been updated to fix three security issues:asn1_get_bit_der() could have returned negative bit length, Multiple boundary check issues could have allowed DoS, Possible DoS by NULL pointer dereference in asn1_read_value_type. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0931-1 CVE-2014-3468 CVE-2014-3467 CVE-2014-3469 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | libtasn1 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26205 | |||
Oval ID: | oval:org.mitre.oval:def:26205 | ||
Title: | SUSE-SU-2014:0788-2 -- Security update for GnuTLS | ||
Description: | GnuTLS has been patched to ensure proper parsing of session ids during the TLS/SSL handshake. Additionally three issues inherited from libtasn1 have been fixed. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0788-2 CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 10 | Product(s): | GnuTLS |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27012 | |||
Oval ID: | oval:org.mitre.oval:def:27012 | ||
Title: | DEPRECATED: ELSA-2014-0594 -- gnutls security update (important) | ||
Description: | [1.4.1-16] - added missing check for null pointer (#1102355) [1.4.1-15] - fix session ID length check and null pointer dereference (#1102355) - fix minitasn1 issues (#1102355) - Renamed gnutls-1.4.1-cve-2014-5138.patch to cve-2009-5138.patch | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0594 CVE-2014-3466 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27097 | |||
Oval ID: | oval:org.mitre.oval:def:27097 | ||
Title: | ELSA-2014-0687 -- libtasn1 security update (moderate) | ||
Description: | [3.3-5] - Added missing check for null pointer (#1102338) [3.3-4] - Fix multiple decoding issues (#1102338) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0687 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 3 |
Platform(s): | Oracle Linux 7 | Product(s): | libtasn1 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27099 | |||
Oval ID: | oval:org.mitre.oval:def:27099 | ||
Title: | DEPRECATED: ELSA-2014-0596 -- libtasn1 security update (moderate) | ||
Description: | [2.3-6] - added check for null pointer (#1102336) [2.3-5] - fix various DER decoding issues (#1102336) [2.3-4] - fix CVE-2012-1569 - missing length check when decoding DER lengths (#804920) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0596 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | libtasn1 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27230 | |||
Oval ID: | oval:org.mitre.oval:def:27230 | ||
Title: | DSA-3056-1 libtasn1-3 - security update | ||
Description: | Several vulnerabilities were discovered in libtasn1-3, a library that manages ASN1 (Abstract Syntax Notation One) structures. An attacker could use those to cause a denial-of-service via out-of-bounds access or NULL pointer dereference. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-3056-1 CVE-2014-3467 CVE-2014-3468 CVE-2014-3469 | Version: | 3 |
Platform(s): | Debian GNU/Linux 7.0 Debian GNU/kFreeBSD 7.0 | Product(s): | libtasn1-3 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-116.nasl - Type : ACT_GATHER_INFO |
2015-03-26 | Name : The remote Debian host is missing a security update. File : debian_DLA-77.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_libtasn1_20140715.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_gnutls_20141120.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0815.nasl - Type : ACT_GATHER_INFO |
2014-10-27 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-3056.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-359.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201408-09.nasl - Type : ACT_GATHER_INFO |
2014-07-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0687.nasl - Type : ACT_GATHER_INFO |
2014-07-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libtasn1-140717.nasl - Type : ACT_GATHER_INFO |
2014-07-24 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0687.nasl - Type : ACT_GATHER_INFO |
2014-07-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2294-1.nasl - Type : ACT_GATHER_INFO |
2014-06-10 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-107.nasl - Type : ACT_GATHER_INFO |
2014-06-10 | Name : The remote Fedora host is missing a security update. File : fedora_2014-6919.nasl - Type : ACT_GATHER_INFO |
2014-06-06 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-156-02.nasl - Type : ACT_GATHER_INFO |
2014-06-06 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2014-156-01.nasl - Type : ACT_GATHER_INFO |
2014-06-05 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gnutls-140603.nasl - Type : ACT_GATHER_INFO |
2014-06-05 | Name : The remote Fedora host is missing a security update. File : fedora_2014-6895.nasl - Type : ACT_GATHER_INFO |
2014-06-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0596.nasl - Type : ACT_GATHER_INFO |
2014-06-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0594.nasl - Type : ACT_GATHER_INFO |
2014-06-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0594.nasl - Type : ACT_GATHER_INFO |
2014-06-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140603_libtasn1_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-06-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140603_gnutls_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2014-06-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0596.nasl - Type : ACT_GATHER_INFO |
2014-06-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0594.nasl - Type : ACT_GATHER_INFO |
2014-06-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0596.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
Date | Informations |
---|---|
2024-11-28 12:40:52 |
|
2021-05-05 01:15:52 |
|
2021-05-04 12:33:36 |
|
2021-04-22 01:40:56 |
|
2020-11-16 17:22:46 |
|
2020-05-23 01:52:08 |
|
2020-05-23 00:41:03 |
|
2019-04-22 21:19:10 |
|
2017-12-29 09:22:05 |
|
2017-01-07 09:25:35 |
|
2016-06-28 22:50:54 |
|
2016-04-27 00:50:38 |
|
2015-04-10 09:26:16 |
|
2015-03-31 13:28:28 |
|
2015-03-27 13:28:09 |
|
2015-01-21 13:26:50 |
|
2014-11-14 13:27:55 |
|
2014-11-12 13:27:11 |
|
2014-11-05 13:28:32 |
|
2014-10-28 13:24:53 |
|
2014-10-12 13:27:19 |
|
2014-08-31 13:25:12 |
|
2014-08-01 09:22:30 |
|
2014-07-31 13:25:21 |
|
2014-07-25 13:21:50 |
|
2014-07-24 13:25:31 |
|
2014-06-18 09:24:46 |
|
2014-06-11 13:24:39 |
|
2014-06-11 05:25:07 |
|
2014-06-07 13:23:22 |
|
2014-06-06 21:23:24 |
|
2014-06-06 13:28:13 |
|
2014-06-06 05:19:52 |
|