Vulnerability Description
stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool and allows remote attackers to obtain private keys for EC (ECDSA) or DSA certificates.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Stunnel | Stunnel | <= 4.56 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2014/03/05/1Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/65964Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/attachment.cgi?id=870826&action=diffPatch
- https://bugzilla.redhat.com/show_bug.cgi?id=1072180Issue TrackingThird Party AdvisoryVDB Entry
- https://www.stunnel.org/sdf_ChangeLog.htmlRelease NotesVendor Advisory
- http://www.openwall.com/lists/oss-security/2014/03/05/1Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/65964Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/attachment.cgi?id=870826&action=diffPatch
- https://bugzilla.redhat.com/show_bug.cgi?id=1072180Issue TrackingThird Party AdvisoryVDB Entry
- https://www.stunnel.org/sdf_ChangeLog.htmlRelease NotesVendor Advisory
FAQ
What is CVE-2014-0016?
CVE-2014-0016 is a vulnerability with a CVSS score of 4.3 (MEDIUM). stunnel before 5.00, when using fork threading, does not properly update the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to us...
How severe is CVE-2014-0016?
CVE-2014-0016 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-0016?
Check the references section above for vendor advisories and patch information. Affected products include: Stunnel Stunnel.