This page lists known vulnerabilities for the wolfSSL embedded SSL/TLS library, wolfCrypt embedded crypto engine, and other wolfSSL products. Each vulnerability is linked to the description and CVE if available. Please contact us with any questions or concerns.
The SSL protocol, along with the more recent TLS 1.2 protocol, are both well documented and under constant scrutiny by the top experts in security and cryptography. SSL was quickly adopted as a standard world wide. SSL and TLS together secure communications between billions of computers, servers, Internet of Things (IoT) devices, and embedded systems. The security provided by an SSL/TLS Library depends on the underlying strength of its cryptography which is used to encrypt communications.
|DESC||CVE ID||TITLE||FIXED IN VERSION|
|LINK||CVE-2017-6076||In versions of wolfSSL before 3.10.2 the software implementation makes it easier to extract RSA key information for a malicious user who has access to view the cache on a machine.||3.10.2|
|LINK||CVE-2016-7440||Software AES table lookups do not properly consider cache-bank access times||3.9.10|
|LINK||CVE-2016-7439||Software RSA does not properly consider cache-bank monitoring||3.9.10|
|LINK||CVE-2016-7438||Software ECC does not properly consider cache-bank monitoring||3.9.10|
|LINK||CVE-2015-6925||Potential DOS attack when using DTLS on the server side||3.6.8|
|LINK||CVE-2015-7744||TLS servers using RSA with ephemeral keys may leak key bits on signature faults||3.6.8|
|LINK||CVE-2014-2900||Unknown critical certificate extension allowed||2.9.4|
|LINK||CVE-2014-2899||NULL pointer dereference on peer cert request after certificate parsing failure||2.9.4|
|LINK||CVE-2014-2898||Out of bounds read on repeated calls to CyaSSL_read(), memory access error.||2.9.4|
|LINK||CVE-2014-2897||Out of bounds read, SSL 3.0 HMAC doesn't check padding length for verify failure||2.9.4|
|LINK||CVE-2014-2896||Memory corruption, possible out of bounds read on length check in DoAlert()||2.9.4|
As researchers and security professionals release new attacks against SSL/TLS protocol versions, algorithms, or cryptographic modes, we want to keep our users informed if wolfSSL is vulnerable or safe to such attacks.
|08.11.2015||Pandora’s Box Attack||NO||N/A|
|03.30.2015||Bar Mitzvah Attack||YES||YES|
|12.12.2014||POODLE bites again||NO||N/A|
|10.14.2014||POODLE: Padding Oracle On Downgraded Legacy Encryption||YES||YES|
|02.05.2014||Lucky 13 Attack||YES||YES|
Email: [email protected]
Phone: +1 (425) 245-8247