CVE-2014-0224: Weak Encryption

Published Jun 2, 2014
·
Updated

It was found that OpenSSL was vulnerable to a SSL/TLS MITM vulnerability. An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. As per the upstream advisory: The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h. Acknowledgements: Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges KIKUCHI Masashi of Lepidum as the original reporter of this issue.

Affected Software

38 affected componentsFixes available
redhat/openssl<1.0.1
1.0.1
redhat/openssl<0.9.8
0.9.8
OpenSSL OpenSSL<0.9.8za
OpenSSL OpenSSL>=1.0.0<1.0.0m
OpenSSL OpenSSL>=1.0.1<1.0.1h
redhat JBoss Enterprise Application Platform=5.2.0
redhat JBoss Enterprise Application Platform=6.2.3
redhat Jboss Enterprise Web Platform=5.2.0
redhat Jboss Enterprise Web Server=2.0.1
redhat Storage=2.1
Fedoraproject Fedora=19
Fedoraproject Fedora=20
openSUSE openSUSE=13.1
openSUSE openSUSE=13.2
redhat Enterprise Linux=4
redhat Enterprise Linux=5
redhat Enterprise Linux=6.0
Filezilla-project Filezilla Server<0.9.45
All of the following
Siemens Application Processing Engine Firmware<2.0.2
Siemens Application Processing Engine
All of the following
Siemens Cp1543-1 Firmware<1.1.25
Siemens Cp1543-1
All of the following
Siemens S7-1500 Firmware<1.6
Siemens S7-1500
All of the following
Siemens Rox Firmware<1.16.1
Siemens Rox
MariaDB MariaDB>=10.0.0<10.0.13
Python Python>=2.7.0<2.7.8
Python Python>=3.4.0<3.4.2
Nodejs Node.js<0.10.29
Siemens Application Processing Engine Firmware<2.0.2
Siemens Application Processing Engine
Siemens Cp1543-1 Firmware<1.1.25
Siemens Cp1543-1
Siemens S7-1500 Firmware<1.6
Siemens S7-1500
Siemens Rox Firmware<1.16.1
Siemens Rox

Remediation

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Patch Available

https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=bc8923b1ec9c467755cd86f7848c50ee8812e441

Event History

Jun 2, 2014
Data Sourced
via Red Hat·07:17 AM
DescriptionSeverityAffected Software
Jun 5, 2014
CVE Published
via MITRE·09:00 PM
Data Sourced
via MITRE·09:00 PM
Description
Data Sourced
via NVD·09:55 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2014-0224?

CVE-2014-0224 is classified as a high severity vulnerability due to its potential to allow Man-in-the-Middle attacks and decrypt sensitive information.

2

How do I fix CVE-2014-0224?

To mitigate CVE-2014-0224, upgrade OpenSSL to version 1.0.1h or later, or 0.9.8za or later if using that version.

3

What systems are affected by CVE-2014-0224?

CVE-2014-0224 affects various OpenSSL versions, including 0.9.8 and 1.0.1, as well as dependent applications like Red Hat's JBoss platforms.

4

What type of attack does CVE-2014-0224 facilitate?

CVE-2014-0224 allows attackers to perform Man-in-the-Middle (MITM) attacks by exploiting weak keying materials negotiated during SSL/TLS handshakes.

5

Is it safe to use OpenSSL versions prior to 1.0.1h after CVE-2014-0224?

No, using OpenSSL versions prior to 1.0.1h poses significant security risks due to the vulnerabilities highlighted in CVE-2014-0224.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203