// For flags

CVE-2014-3508

openssl: information leak in pretty printing functions

Severity Score

4.3
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The OBJ_obj2txt function in crypto/objects/obj_dat.c in OpenSSL 0.9.8 before 0.9.8zb, 1.0.0 before 1.0.0n, and 1.0.1 before 1.0.1i, when pretty printing is used, does not ensure the presence of '\0' characters, which allows context-dependent attackers to obtain sensitive information from process stack memory by reading output from X509_name_oneline, X509_name_print_ex, and unspecified other functions.

La función OBJ_obj2txt en crypto/objects/obj_dat.c en OpenSSL 0.9.8 anterior a 0.9.8zb, 1.0.0 anterior a 1.0.0n, y 1.0.1 anterior a 1.0.1i, cuando 'pretty printing' está utilizado, no asegura la presencia de caracteres '\0', lo que permite a atacantes dependientes de contexto obtener información sensible de la memoria en pila del proceso mediante la lectura de salidas de X509_name_oneline, X509_name_print_ex, y otras funciones no especificadas.

It was discovered that the OBJ_obj2txt() function could fail to properly NUL-terminate its output. This could possibly cause an application using OpenSSL functions to format fields of X.509 certificates to disclose portions of its memory.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-05-14 CVE Reserved
  • 2014-08-06 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-08-10 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (71)
URL Tag Source
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc X_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-1052.html X_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-1053.html X_refsource_confirm
http://secunia.com/advisories/58962 Third Party Advisory
http://secunia.com/advisories/59221 Third Party Advisory
http://secunia.com/advisories/59700 Third Party Advisory
http://secunia.com/advisories/59710 Third Party Advisory
http://secunia.com/advisories/59743 Third Party Advisory
http://secunia.com/advisories/59756 Third Party Advisory
http://secunia.com/advisories/60022 Third Party Advisory
http://secunia.com/advisories/60221 Third Party Advisory
http://secunia.com/advisories/60410 Third Party Advisory
http://secunia.com/advisories/60493 Third Party Advisory
http://secunia.com/advisories/60684 Third Party Advisory
http://secunia.com/advisories/60687 Third Party Advisory
http://secunia.com/advisories/60778 Third Party Advisory
http://secunia.com/advisories/60803 Third Party Advisory
http://secunia.com/advisories/60824 Third Party Advisory
http://secunia.com/advisories/60861 Third Party Advisory
http://secunia.com/advisories/60917 Third Party Advisory
http://secunia.com/advisories/60921 Third Party Advisory
http://secunia.com/advisories/60938 Third Party Advisory
http://secunia.com/advisories/61017 Third Party Advisory
http://secunia.com/advisories/61100 Third Party Advisory
http://secunia.com/advisories/61171 Third Party Advisory
http://secunia.com/advisories/61184 Third Party Advisory
http://secunia.com/advisories/61214 Third Party Advisory
http://secunia.com/advisories/61250 Third Party Advisory
http://secunia.com/advisories/61392 Third Party Advisory
http://secunia.com/advisories/61775 Third Party Advisory
http://secunia.com/advisories/61959 Third Party Advisory
http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15571.html X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020240 X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21681752 X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21682293 X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21683389 X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21686997 X_refsource_confirm
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm X_refsource_confirm
http://www.securityfocus.com/bid/69075 Vdb Entry
http://www.securitytracker.com/id/1030693 Vdb Entry
http://www.tenable.com/security/tns-2014-06 X_refsource_confirm
https://blogs.oracle.com/sunsecurity/entry/cve_2014_3508_information_disclosure X_refsource_confirm
https://exchange.xforce.ibmcloud.com/vulnerabilities/95165 Vdb Entry
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=0042fb5fd1c9d257d713b15a1f45da05cf5c1c87 X_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888 X_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380 X_refsource_confirm
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-September/000196.html Mailing List
https://support.citrix.com/article/CTX216642 X_refsource_confirm
URL Date SRC
URL Date SRC
URL Date SRC
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc 2023-11-07
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html 2023-11-07
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html 2023-11-07
http://lists.opensuse.org/opensuse-updates/2014-08/msg00036.html 2023-11-07
http://marc.info/?l=bugtraq&m=140853041709441&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140973896703549&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=141077370928502&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=142495837901899&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=142624590206005&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=142660345230545&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=142791032306609&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=143290437727362&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=143290522027658&w=2 2023-11-07
http://rhn.redhat.com/errata/RHSA-2014-1256.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2014-1297.html 2023-11-07
http://www.debian.org/security/2014/dsa-2998 2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2014:158 2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=1127490 2014-09-24
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:18.openssl.asc 2023-11-07
https://www.openssl.org/news/secadv_20140806.txt 2023-11-07
https://access.redhat.com/security/cve/CVE-2014-3508 2014-09-24
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8
Search vendor "Openssl" for product "Openssl" and version "0.9.8"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8a
Search vendor "Openssl" for product "Openssl" and version "0.9.8a"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8b
Search vendor "Openssl" for product "Openssl" and version "0.9.8b"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8c
Search vendor "Openssl" for product "Openssl" and version "0.9.8c"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8d
Search vendor "Openssl" for product "Openssl" and version "0.9.8d"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8e
Search vendor "Openssl" for product "Openssl" and version "0.9.8e"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8f
Search vendor "Openssl" for product "Openssl" and version "0.9.8f"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8g
Search vendor "Openssl" for product "Openssl" and version "0.9.8g"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8h
Search vendor "Openssl" for product "Openssl" and version "0.9.8h"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8i
Search vendor "Openssl" for product "Openssl" and version "0.9.8i"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8j
Search vendor "Openssl" for product "Openssl" and version "0.9.8j"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8k
Search vendor "Openssl" for product "Openssl" and version "0.9.8k"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8l
Search vendor "Openssl" for product "Openssl" and version "0.9.8l"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8m
Search vendor "Openssl" for product "Openssl" and version "0.9.8m"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8m
Search vendor "Openssl" for product "Openssl" and version "0.9.8m"
beta1
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8n
Search vendor "Openssl" for product "Openssl" and version "0.9.8n"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8o
Search vendor "Openssl" for product "Openssl" and version "0.9.8o"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8p
Search vendor "Openssl" for product "Openssl" and version "0.9.8p"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8q
Search vendor "Openssl" for product "Openssl" and version "0.9.8q"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8r
Search vendor "Openssl" for product "Openssl" and version "0.9.8r"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8s
Search vendor "Openssl" for product "Openssl" and version "0.9.8s"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8t
Search vendor "Openssl" for product "Openssl" and version "0.9.8t"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8u
Search vendor "Openssl" for product "Openssl" and version "0.9.8u"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8v
Search vendor "Openssl" for product "Openssl" and version "0.9.8v"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8w
Search vendor "Openssl" for product "Openssl" and version "0.9.8w"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8x
Search vendor "Openssl" for product "Openssl" and version "0.9.8x"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8y
Search vendor "Openssl" for product "Openssl" and version "0.9.8y"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
0.9.8za
Search vendor "Openssl" for product "Openssl" and version "0.9.8za"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0
Search vendor "Openssl" for product "Openssl" and version "1.0.0"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0
Search vendor "Openssl" for product "Openssl" and version "1.0.0"
beta1
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0
Search vendor "Openssl" for product "Openssl" and version "1.0.0"
beta2
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0
Search vendor "Openssl" for product "Openssl" and version "1.0.0"
beta3
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0
Search vendor "Openssl" for product "Openssl" and version "1.0.0"
beta4
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0
Search vendor "Openssl" for product "Openssl" and version "1.0.0"
beta5
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0a
Search vendor "Openssl" for product "Openssl" and version "1.0.0a"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0b
Search vendor "Openssl" for product "Openssl" and version "1.0.0b"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0c
Search vendor "Openssl" for product "Openssl" and version "1.0.0c"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0d
Search vendor "Openssl" for product "Openssl" and version "1.0.0d"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0e
Search vendor "Openssl" for product "Openssl" and version "1.0.0e"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0f
Search vendor "Openssl" for product "Openssl" and version "1.0.0f"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0g
Search vendor "Openssl" for product "Openssl" and version "1.0.0g"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0h
Search vendor "Openssl" for product "Openssl" and version "1.0.0h"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0i
Search vendor "Openssl" for product "Openssl" and version "1.0.0i"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0j
Search vendor "Openssl" for product "Openssl" and version "1.0.0j"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0k
Search vendor "Openssl" for product "Openssl" and version "1.0.0k"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0l
Search vendor "Openssl" for product "Openssl" and version "1.0.0l"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.0m
Search vendor "Openssl" for product "Openssl" and version "1.0.0m"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1
Search vendor "Openssl" for product "Openssl" and version "1.0.1"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1
Search vendor "Openssl" for product "Openssl" and version "1.0.1"
beta1
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1
Search vendor "Openssl" for product "Openssl" and version "1.0.1"
beta2
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1
Search vendor "Openssl" for product "Openssl" and version "1.0.1"
beta3
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1a
Search vendor "Openssl" for product "Openssl" and version "1.0.1a"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1b
Search vendor "Openssl" for product "Openssl" and version "1.0.1b"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1c
Search vendor "Openssl" for product "Openssl" and version "1.0.1c"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1d
Search vendor "Openssl" for product "Openssl" and version "1.0.1d"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1e
Search vendor "Openssl" for product "Openssl" and version "1.0.1e"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1f
Search vendor "Openssl" for product "Openssl" and version "1.0.1f"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1g
Search vendor "Openssl" for product "Openssl" and version "1.0.1g"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
1.0.1h
Search vendor "Openssl" for product "Openssl" and version "1.0.1h"
-
Affected