Description

The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message.

Remediation

References

CVE-2014-3572

Related Vulnerabilities

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-4293)

MySQL CVE-2021-2166 Vulnerability (CVE-2021-2166)

Jenkins Improper Certificate Validation Vulnerability (CVE-2017-1000396)

Oracle Database Server CVE-2015-4923 Vulnerability (CVE-2015-4923)

WordPress Plugin AllWebMenus WordPress Menu 'abspath' Parameter Remote File Include (1.1.3)

Severity

Medium

Classification

CVE-2014-3572

Tags

Missing Update Known Vulnerabilities