OpenSSL Security Advisory - CVE-2014-0224 & CVE-2014-3470

Just last week, a new OpenSSL security threat, similar to, but not nearly as serious as Heartbleed, was discovered.

According the OpenSSL Security Advisory, issued on June 5th 2014:

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.  The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution. 


A fix for this issue will be made available in 7.1-18 of our firmware which will be available in early July 2014.


If you have any further questions or concerns please open a support ticket. 

Was this article helpful?

2 out of 2 found this helpful


James Rago -- K360 Technical Product Manager

Concerning CVE-2014-0221 and CVE-2014-0195: LoadMaster does not at this time allow SSL offloading of UDP traffic. We do not currently support DTLS. As a consequence there are no DTLS-related vulnerabilities in a LoadMaster.



Are you able to have a more confirmed date for this firmware release? We have a project that won't pass a pen-test because of this fault and we need a date for the next project milestone?

Many thanks

Derek Kiely

Hello, please open up a ticket with support and they can assist.

Phil Purdue

We are in a situation where we are trialling a Kemp VM Loadmaster and the project requires that we cover off this vulnerability. Can you give me a date for this 7-1.18 product release please.

Derek Kiely

Hello Phil, please open up a ticket with support and they can assist.

Micki Wulffeld

Open SSL now experiensing more security flaws, i hope you are looking into thees updates as well :

The latest patches fixed several problems that can be triggered through denial-of-service attacks, which can cause OpenSSL to crash, consume large amounts of memory or leak information.

Derek Kiely

Hello Eniga,

CVE-2014-3511 is the only vulnerability affecting the KEMP LoadMaster. We will have a patch available later this week.