Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
OpenSSL
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== {{anchor|CVE-2014-0224}}CCS injection vulnerability === The CCS Injection Vulnerability ({{CVE|2014-0224}}) is a security bypass vulnerability that results from a weakness in OpenSSL methods used for keying material.<ref>{{cite web |url=http://www.cyberoam.com/blog/openssl-continues-to-bleed-out-more-flaws-more-critical-vulnerabilities-found/ |title=OpenSSL continues to bleed out more flaws β more critical vulnerabilities found |year=2014 |publisher=Cyberoam Threat Research Labs |access-date=2014-06-13 |archive-url=https://web.archive.org/web/20140619034859/http://www.cyberoam.com/blog/openssl-continues-to-bleed-out-more-flaws-more-critical-vulnerabilities-found/ |archive-date=2014-06-19 |url-status=dead |df=mdy-all}}</ref> This vulnerability can be exploited through the use of a man-in-the-middle attack,<ref>{{cite web |url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 |title=CVE-2014-0224 |year=2014 |publisher=CVE |access-date=June 13, 2014 |archive-date=August 1, 2014 |archive-url=https://web.archive.org/web/20140801203134/https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224 |url-status=live}}</ref> where an attacker may be able to decrypt and modify traffic in transit. A remote unauthenticated attacker could exploit this vulnerability by using a specially crafted handshake to force the use of weak keying material. Successful exploitation could lead to a security bypass condition where an attacker could gain access to potentially sensitive information. The attack can only be performed between a vulnerable client ''and'' server. OpenSSL clients are vulnerable in all versions of OpenSSL before the versions 0.9.8za, 1.0.0m and 1.0.1h. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.<ref>{{cite web |url=https://www.openssl.org/news/secadv_20140605.txt |title=OpenSSL Security Advisory |date=5 June 2014 |publisher=OpenSSL |df=mdy-all |access-date=June 13, 2014 |archive-date=April 30, 2024 |archive-url=https://web.archive.org/web/20240430142011/https://www.openssl.org/news/secadv_20140605.txt |url-status=dead}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)