Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2014-8564 | First vendor Publication | 2014-11-13 |
Vendor | Cve | Last vendor Modification | 2018-10-30 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8564 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:27895 | |||
Oval ID: | oval:org.mitre.oval:def:27895 | ||
Title: | RHSA-2014:1846 -- gnutls security update (Moderate) | ||
Description: | The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). The gnutls packages also include the libtasn1 library, which provides Abstract Syntax Notation One (ASN.1) parsing and structures management, and Distinguished Encoding Rules (DER) encoding and decoding functions. An out-of-bounds memory write flaw was found in the way GnuTLS parsed certain ECC (Elliptic Curve Cryptography) certificates or certificate signing requests (CSR). A malicious user could create a specially crafted ECC certificate or a certificate signing request that, when processed by an application compiled against GnuTLS (for example, certtool), could cause that application to crash or execute arbitrary code with the permissions of the user running the application. (CVE-2014-8564) Red Hat would like to thank GnuTLS upstream for reporting this issue. Upstream acknowledges Sean Burford as the original reporter. All gnutls users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications linked to the GnuTLS or libtasn1 library must be restarted. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1846 CESA-2014:1846 CVE-2014-8564 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 7 CentOS Linux 7 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:28182 | |||
Oval ID: | oval:org.mitre.oval:def:28182 | ||
Title: | ELSA-2014-1846 -- gnutls security update (moderate) | ||
Description: | [3.1.18-10] - Applied fix for CVE-2014-8564 (#1161472) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1846 CVE-2014-8564 | Version: | 3 |
Platform(s): | Oracle Linux 7 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:28289 | |||
Oval ID: | oval:org.mitre.oval:def:28289 | ||
Title: | USN-2403-1 -- GnuTLS vulnerability | ||
Description: | Sean Burford discovered that GnuTLS incorrectly handled printing certain elliptic curve parameters. A malicious remote server or client could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2403-1 CVE-2014-8564 | Version: | 5 |
Platform(s): | Ubuntu 14.10 | Product(s): | gnutls28 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:28685 | |||
Oval ID: | oval:org.mitre.oval:def:28685 | ||
Title: | SUSE-SU-2014:1628-1 -- Security update for gnutls (moderate) | ||
Description: | gnutls was updated to fix one security issue. - Fixed parsing problem in elliptic curve blobs over TLS that could lead to remote crashes (CVE-2014-8564). | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:1628-1 CVE-2014-8564 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 | Product(s): | gnutls |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2014-1628-1.nasl - Type : ACT_GATHER_INFO |
2015-03-30 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-072.nasl - Type : ACT_GATHER_INFO |
2014-11-24 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-696.nasl - Type : ACT_GATHER_INFO |
2014-11-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-215.nasl - Type : ACT_GATHER_INFO |
2014-11-17 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14734.nasl - Type : ACT_GATHER_INFO |
2014-11-14 | Name : The remote Fedora host is missing a security update. File : fedora_2014-14760.nasl - Type : ACT_GATHER_INFO |
2014-11-13 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1846.nasl - Type : ACT_GATHER_INFO |
2014-11-13 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1846.nasl - Type : ACT_GATHER_INFO |
2014-11-13 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20141112_gnutls_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2014-11-12 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1846.nasl - Type : ACT_GATHER_INFO |
2014-11-12 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2403-1.nasl - Type : ACT_GATHER_INFO |
Sources (Detail)
Alert History
Date | Informations |
---|---|
2021-05-04 12:34:56 |
|
2021-04-22 01:42:32 |
|
2020-05-23 00:42:45 |
|
2018-10-31 00:20:40 |
|
2018-01-26 12:05:50 |
|
2016-09-08 17:21:58 |
|
2016-04-27 01:26:09 |
|
2015-05-21 13:31:49 |
|
2015-03-31 13:29:01 |
|
2014-12-03 09:27:50 |
|
2014-11-26 13:28:24 |
|
2014-11-21 13:25:14 |
|
2014-11-19 21:28:37 |
|
2014-11-18 13:26:09 |
|
2014-11-15 13:25:58 |
|
2014-11-14 21:27:49 |
|
2014-11-14 13:26:30 |
|
2014-11-13 21:25:37 |
|