A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that were disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks.
Find out more about CVE-2015-3197 from the MITRE CVE dictionary dictionary and NIST NVD.
This security flaw can only be exploited when a malicious client negotiates SSLv2 ciphers and completes a SSLv2 handshake. This flaw cannot be actively exploited by a Man-In-The-Middle attacker.
All versions of OpenSSL shipped with Red Hat Enterprise Linux enable SSLv2 protocol, but disable SSLv2 ciphers by default (in Red Hat Enterprise Linux 6 and later), therefore are vulnerable to this flaw. Red Hat Product Security has rated this issue as having Low security impact, a future update may address this flaw.
SSLv2 suffers from a number of security flaws allowing attackers to capture and alter information passed between a client and the server. Therefore we strongly recommend that SSLv2 should be disabled on all the SSL/TLS servers.
| Base Score | 5.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux Advanced Update Support 6.5 (openssl) | RHSA-2016:0303 | 2016-03-01 |
| Red Hat Enterprise Linux Advanced Update Support 6.2 (openssl) | RHSA-2016:0303 | 2016-03-01 |
| Red Hat Enterprise Linux Long Life (v. 5.9 server) (openssl) | RHSA-2016:0304 | 2016-03-01 |
| Red Hat Enterprise Linux Extended Lifecycle Support 4 (openssl) | RHSA-2016:0306 | 2016-03-01 |
| Red Hat Enterprise Linux Extended Update Support 6.6 (openssl) | RHSA-2016:0305 | 2016-03-01 |
| Red Hat Enterprise Linux Long Life (v. 5.6 server) (openssl) | RHSA-2016:0304 | 2016-03-01 |
| RHEV Hypervisor for RHEL-6 (rhev-hypervisor7) | RHSA-2016:0379 | 2016-03-09 |
| Red Hat JBoss Web Server 2.1 | RHSA-2016:0445 | 2016-03-14 |
| Red Hat Enterprise Linux 6 (openssl) | RHSA-2016:0301 | 2016-03-01 |
| Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhev-hypervisor7) | RHSA-2016:0379 | 2016-03-09 |
| Red Hat Enterprise Linux Extended Update Support 7.1 (openssl) | RHSA-2016:0305 | 2016-03-01 |
| Red Hat Enterprise Linux Advanced Update Support 6.4 (openssl) | RHSA-2016:0303 | 2016-03-01 |
| Red Hat Enterprise Linux 7 (openssl) | RHSA-2016:0301 | 2016-03-01 |
| Red Hat Enterprise Linux 5 (openssl) | RHSA-2016:0302 | 2016-03-01 |
| Red Hat Enterprise Linux 7 (openssl098e) | RHSA-2016:0372 | 2016-03-09 |
| Red Hat Enterprise Linux 6 (openssl098e) | RHSA-2016:0372 | 2016-03-09 |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Web Server 3.0 | openssl | Will not fix |
| Red Hat JBoss EWS 1 | openssl | Will not fix |
| Red Hat JBoss EAP 6 | openssl | Will not fix |
| Red Hat JBoss EAP 5 | openssl | Will not fix |
| Red Hat Enterprise Linux Extended Update Support 7.2 | rhel-guest-image | Will not fix |
| Red Hat Enterprise Linux Extended Update Support 6.7 | guest-images | Will not fix |
| Red Hat Enterprise Linux 5 | openssl097a | Will not fix |
| RHEV Manager 3 | rhev-hypervisor | Will not fix |
Vulmon