Описание
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
It was found that OpenSSL clients and servers could be forced, via a specially crafted handshake packet, to use weak keying material for communication. A man-in-the-middle attacker could use this flaw to decrypt and modify traffic between a client and a server.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | guest-images | Not affected | ||
| Red Hat Enterprise Virtualization 3 | mingw-virt-viewer | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 5 | openssl | Affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | openssl | Affected | ||
| Red Hat JBoss Enterprise Web Server 1 | openssl | Will not fix | ||
| Red Hat Enterprise Linux 4 Extended Lifecycle Support | openssl | Fixed | RHSA-2014:0627 | 05.06.2014 |
| Red Hat Enterprise Linux 5 | openssl | Fixed | RHSA-2014:0624 | 05.06.2014 |
| Red Hat Enterprise Linux 5 | openssl097a | Fixed | RHSA-2014:0626 | 05.06.2014 |
| Red Hat Enterprise Linux 5.6 Long Life | openssl | Fixed | RHSA-2014:0627 | 05.06.2014 |
| Red Hat Enterprise Linux 5.9 Extended Update Support | openssl | Fixed | RHSA-2014:0627 | 05.06.2014 |
Показывать по
Дополнительная информация
Статус:
5.8 Medium
CVSS2
Связанные уязвимости
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h d ...
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
5.8 Medium
CVSS2