Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-3511

Опубликовано: 06 авг. 2014
Источник: redhat
CVSS2: 4.3
EPSS Низкий

Описание

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.

A flaw was found in the way OpenSSL handled fragmented handshake packets. A man-in-the-middle attacker could use this flaw to force a TLS/SSL server using OpenSSL to use TLS 1.0, even if both the client and the server supported newer protocol versions.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5opensslNot affected
Red Hat Enterprise Linux 5openssl097aNot affected
Red Hat Enterprise Linux 6openssl098eNot affected
Red Hat Enterprise Linux 7openssl098eNot affected
Red Hat JBoss Enterprise Application Platform 5opensslNot affected
Red Hat JBoss Enterprise Application Platform 6opensslNot affected
Red Hat JBoss Enterprise Web Server 1opensslNot affected
Red Hat JBoss Enterprise Web Server 1othersNot affected
Red Hat JBoss Enterprise Web Server 2opensslNot affected
Red Hat Enterprise Linux 6opensslFixedRHSA-2014:105213.08.2014

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-390
https://bugzilla.redhat.com/show_bug.cgi?id=1127504openssl: TLS protocol downgrade attack

EPSS

Процентиль: 91%
0.077
Низкий

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-3511

ubuntu
почти 11 лет назад

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.

nvd логотип

CVE-2014-3511

nvd
почти 11 лет назад

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.

debian логотип

CVE-2014-3511

debian
почти 11 лет назад

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 bef ...

github логотип

GHSA-xfjr-6mmm-7hc7

github
около 3 лет назад

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.

fstec логотип

BDU:2015-00652

fstec
почти 11 лет назад

Уязвимость программного обеспечения OpenSSL, позволяющая удаленному злоумышленнику нарушить защищаемой информации

EPSS

Процентиль: 91%
0.077
Низкий

4.3 Medium

CVSS2

Уязвимость CVE-2014-3511