OpenSSL Security Advisory - CVE-2014-0224 & CVE-2014-3470

Just last week, a new OpenSSL security threat, similar to, but not nearly as serious as Heartbleed, was discovered.

According the OpenSSL Security Advisory, issued on June 5th 2014:

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.  The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. 

 

A fix for this issue will be made available in 7.1-18 of our firmware which will be available in early July 2014.

 

If you have any further questions or concerns please open a support ticket. 

Was this article helpful?

2 out of 2 found this helpful

Comments

Avatar
James Rago Global Support Manager

Concerning CVE-2014-0221 and CVE-2014-0195: LoadMaster does not at this time allow SSL offloading of UDP traffic. We do not currently support DTLS. As a consequence there are no DTLS-related vulnerabilities in a LoadMaster.

Avatar
jonathan.wilkinson

Hello

Are you able to have a more confirmed date for this firmware release? We have a project that won't pass a pen-test because of this fault and we need a date for the next project milestone?

Many thanks

Avatar
Derek Kiely

Hello, please open up a ticket with support and they can assist.

Avatar
Phil Purdue

Hi
We are in a situation where we are trialling a Kemp VM Loadmaster and the project requires that we cover off this vulnerability. Can you give me a date for this 7-1.18 product release please.
thanks
Phil.

Avatar
Derek Kiely

Hello Phil, please open up a ticket with support and they can assist.

Avatar
Micki Wulffeld

Open SSL now experiensing more security flaws, i hope you are looking into thees updates as well : https://www.openssl.org/news/secadv_20140806.txt

The latest patches fixed several problems that can be triggered through denial-of-service attacks, which can cause OpenSSL to crash, consume large amounts of memory or leak information.

Avatar
Derek Kiely

Hello Eniga,

CVE-2014-3511 is the only vulnerability affecting the KEMP LoadMaster. We will have a patch available later this week.