CVE-2014-3488

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
http://netty.io/news/2014/06/11/3-9-2-Final.html	Vendor Advisory
http://secunia.com/advisories/59196
https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994
https://github.com/netty/netty/issues/2562	Exploit Patch
https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:netty:netty::::::::
	cpe:2.3:a:netty:netty:3.6.0:::::::*
	cpe:2.3:a:netty:netty:3.6.1:::::::*
	cpe:2.3:a:netty:netty:3.6.2:::::::*
	cpe:2.3:a:netty:netty:3.6.3:::::::*
	cpe:2.3:a:netty:netty:3.6.4:::::::*
	cpe:2.3:a:netty:netty:3.6.5:::::::*
	cpe:2.3:a:netty:netty:3.6.6:::::::*
	cpe:2.3:a:netty:netty:3.6.7:::::::*
	cpe:2.3:a:netty:netty:3.6.8:::::::*
	cpe:2.3:a:netty:netty:3.7.0:::::::*
	cpe:2.3:a:netty:netty:3.8.0:::::::*
	cpe:2.3:a:netty:netty:3.8.1:::::::*
	cpe:2.3:a:netty:netty:3.9.0:::::::*
	cpe:2.3:a:netty:netty:3.9.1:::::::*

History

No history.

Information

Published : 2014-07-31 14:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-3488

Mitre link : CVE-2014-3488

CVE.ORG link : CVE-2014-3488

JSON object : View

Products Affected

netty

netty

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

{"id": "CVE-2014-3488", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-07-31T14:55:02.910", "references": [{"url": "http://netty.io/news/2014/06/11/3-9-2-Final.html", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "http://secunia.com/advisories/59196", "source": "secalert@redhat.com"}, {"url": "https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994", "source": "secalert@redhat.com"}, {"url": "https://github.com/netty/netty/issues/2562", "tags": ["Exploit", "Patch"], "source": "secalert@redhat.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-119"}]}], "descriptions": [{"lang": "en", "value": "The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message."}, {"lang": "es", "value": "SslHandler en Netty anterior a 3.9.2 permite a atacantes remotos causar una denegaci\u00f3n de servicio (bucle infinito y consumo de CPU) a trav\u00e9s de un mensaje SSLv2Hello manipulado."}], "lastModified": "2020-02-19T20:15:12.863", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:netty:netty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C25A1DCE-E327-4BB4-9689-FCFEC8D605EA", "versionEndIncluding": "3.9.1.1"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F3EEBC0F-815E-4F66-B9B4-1256AAAB03A7"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "140919D1-2868-4F11-8421-5CA35A3FFCA0"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28C7EA90-B934-438B-9705-5B53B0F3D09C"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6C1DCF99-CBB1-4FD2-B073-B91A2DD27290"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E4EA1D52-61D5-4448-BA64-0D9A8FFFE173"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2CFB08C8-9021-4C26-B8B8-A2C07EB4BB83"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3707350-D658-485E-A136-04AF3ED7AF4E"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D4831E7-1F30-4AEA-82D8-E703701DC8B4"}, {"criteria": "cpe:2.3:a:netty:netty:3.6.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7CE508BE-00C4-4304-BA92-063129C2B6E5"}, {"criteria": "cpe:2.3:a:netty:netty:3.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3876968E-7B85-4149-BF6B-488D32A7B2B7"}, {"criteria": "cpe:2.3:a:netty:netty:3.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2C365439-029C-4F5F-ADB2-0153DD4965B2"}, {"criteria": "cpe:2.3:a:netty:netty:3.8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CAECE2B6-DD9F-4FEC-B15F-EA99BF716390"}, {"criteria": "cpe:2.3:a:netty:netty:3.9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9879F5B0-DF82-470F-A028-1B69BFB67FB9"}, {"criteria": "cpe:2.3:a:netty:netty:3.9.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "32DFF597-4F5A-44E1-BB82-F5DF7942F6AC"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}