Developers Documentation



301 error for file:

User Tools

Site Tools

CVE 2014-1224

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

ClearCenter response

Short response

This issue is NOT the same as the Heartbleed vulnerability but a newer one. A patch to fix this will be forthcoming

Long response

This bug affects the OpenSSL client on all systems and the OpenSSL server on ClearOS version 6.5. A patch to fix this issue will be coming soon. When it is issued, however, it will NOT have an increment of the version number. We backport patches into existing version numbers to ensure compatibility and stability of your system. What is important is the minor version number. You will be told on this page which version of OpenSSL is affected and which one it is fixed.

To see what version you are currently running type the following from a command prompt:

rpm -qi openssl


This page will be updated once the fix is available on the mirrors. Once it is, please run the following:

yum update

You may also validate your version by running:

rpm -qi openssl
content/en_us/announcements_cve_cve-2014-0224.txt · Last modified: 2015/02/13 09:09 (external edit)