Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2011-3389

Published: 06/09/2011 Updated: 29/11/2022
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 384
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to Opera

Vulnerability Summary

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle malicious users to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

opera opera browser -

microsoft internet explorer -

microsoft windows -

google chrome -

mozilla firefox -

siemens simatic_rf68xr_firmware

siemens simatic_rf615r_firmware

haxx curl

redhat enterprise linux server 5.0

redhat enterprise linux server aus 6.2

redhat enterprise linux workstation 5.0

redhat enterprise linux desktop 6.0

redhat enterprise linux server 6.0

redhat enterprise linux workstation 6.0

redhat enterprise linux desktop 5.0

redhat enterprise linux eus 6.2

debian debian linux 5.0

debian debian linux 6.0

canonical ubuntu linux 10.10

canonical ubuntu linux 11.04

canonical ubuntu linux 11.10

canonical ubuntu linux 10.04

Vendor Advisories

Ubuntu Security Notice: openjdk-6, openjdk-6b18 regression
USN-1263-1 caused a regression when using OpenJDK 6’s SSL/TLS implementation ...
Ubuntu Security Notice: icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities
Multiple OpenJDK 6 and IcedTea-Web vulnerabilities have been fixed ...
Red Hat: Critical: firefox security update
Synopsis Critical: firefox security update Type/Severity Security Advisory: Critical Topic Updated firefox packages that fix multiple security issues are nowavailable for Red Hat Enterprise Linux 5 and 6The Red Hat Security Response Team has rated this update as having criticalsecurity impact Common Vulne ...
Red Hat: Critical: java-1.4.2-ibm security update
Synopsis Critical: java-142-ibm security update Type/Severity Security Advisory: Critical Topic Updated java-142-ibm packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 4 Extras and Red Hat EnterpriseLinux 5 SupplementaryThe Red Hat Security Response Team has rated t ...
Red Hat: Moderate: java-1.4.2-ibm-sap security update
Synopsis Moderate: java-142-ibm-sap security update Type/Severity Security Advisory: Moderate Topic Updated java-142-ibm-sap packages that fix several security issues arenow available for Red Hat Enterprise Linux 4, 5 and 6 for SAPThe Red Hat Security Response Team has rated this update as having moder ...
Red Hat: Critical: java-1.6.0-ibm security update
Synopsis Critical: java-160-ibm security update Type/Severity Security Advisory: Critical Topic Updated java-160-ibm packages that fix several security issues are nowavailable for Red Hat Enterprise Linux 4 Extras, and Red Hat EnterpriseLinux 5 and 6 SupplementaryThe Red Hat Security Response Team has ...
Red Hat: Critical: thunderbird security update
Synopsis Critical: thunderbird security update Type/Severity Security Advisory: Critical Topic An updated thunderbird package that fixes multiple security issues is nowavailable for Red Hat Enterprise Linux 5 and 6The Red Hat Security Response Team has rated this update as having criticalsecurity impact C ...
Red Hat: Low: Red Hat Network Satellite server IBM Java Runtime security update
Synopsis Low: Red Hat Network Satellite server IBM Java Runtime security update Type/Severity Security Advisory: Low Topic Updated java-160-ibm packages that fix several security issues are nowavailable for Red Hat Network Satellite Server 54The Red Hat Security Response Team has rated this update as ha ...
Debian CVElist Bug Report Logs: CVE-2011-4362: DoS because of incorrect code in src/http_auth.c:67
Debian Bug report logs - #652726 CVE-2011-4362: DoS because of incorrect code in src/http_authc:67 Package: src:lighttpd; Maintainer for src:lighttpd is Debian QA Group <packages@qadebianorg>; Reported by: Mahyuddin Susanto <udienz@ubuntucom> Date: Tue, 20 Dec 2011 10:12:23 UTC Severity: grave Tags: fixed-upstrea ...
Debian CVElist Bug Report Logs: asterisk: chan_sip: File descriptors leak (UDP sockets) / AST-2016-007, CVE-2016-7551
Debian Bug report logs - #838832 asterisk: chan_sip: File descriptors leak (UDP sockets) / AST-2016-007, CVE-2016-7551 Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sun, 25 Sep 2016 15:0 ...
Debian CVElist Bug Report Logs: asterisk: CVE-2015-3008: TLS Certificate Common name NULL byte exploit
Debian Bug report logs - #782411 asterisk: CVE-2015-3008: TLS Certificate Common name NULL byte exploit Package: src:asterisk; Maintainer for src:asterisk is Debian VoIP Team <pkg-voip-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 11 Apr 2015 17:57:02 UTC Sever ...
Debian CVElist Bug Report Logs: nss: CVE-2014-1569 information leak
Debian Bug report logs - #773625 nss: CVE-2014-1569 information leak Package: src:nss; Maintainer for src:nss is Maintainers of Mozilla-related packages <team+pkg-mozilla@trackerdebianorg>; Reported by: Michael Gilbert <mgilbert@debianorg> Date: Sun, 21 Dec 2014 03:51:02 UTC Severity: serious Tags: patch Found in ...
Amazon Linux AMI: ALAS-2011-010
A flaw was found in the Java RMI (Remote Method Invocation) registry implementation A remote RMI client could use this flaw to execute arbitrary code on the RMI server running the registry (CVE-2011-3556) A flaw was found in the Java RMI registry implementation A remote RMI client could use this flaw to execute code on the RMI server with unrest ...
Debian Security Advisories: DSA-2368-1 lighttpd -- multiple vulnerabilities
Several vulnerabilities have been discovered in lighttpd, a small and fast webserver with minimal memory footprint CVE-2011-4362 Xi Wang discovered that the base64 decoding routine which is used to decode user input during an HTTP authentication, suffers of a signedness issue when processing user input As a result it is possible to force ...
Debian Security Advisories: DSA-2398-2 curl -- several vulnerabilities
Several vulnerabilities have been discovered in cURL, an URL transfer library The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-3389 This update enables OpenSSL workarounds against the BEAST attack Additional information can be found in the cURL advisory CVE-2012-0036 Dan Fandrich discovere ...
Debian Security Advisories: DSA-2356-1 openjdk-6 -- several vulnerabilities
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform: CVE-2011-3389 The TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode CVE-2011-3521 The CORBA implementation contains a deserialization vulnerability in the IIOP implementati ...

Github Repositories

https://github.com/tzaffi/testssl-report

Download and run Dirk Wetter's testssl.sh on a list of url's and compile the failures into a single spreadsheet.

Test SSL Given a list of urls, run Dirk Wetter's testsslsh on each and tabulate failures only into a single spreadheet List of URLS to test These should be put in urlstxt on separate lines Run standalone /cloneRunAndAggregatesh The file results/failscsv will be generated Example If urlstxt consists of googlecom yahoocom m

https://github.com/daniel1302/litecoin

Litecoin experiments

litecoin Testing 1 Docker image Build the image: Run the image and verify output docker build -t daniel1302/litecoin:latest ; docker run daniel1302/litecoin:latest; Security scan for images # Login to dockerhub docker login; # DockerHub docker push daniel1302/litecoin:latest; docker scan daniel1302/litecoin:latest; # Anchore # Ref: h

Recent Articles

Oracle Critical Patch Update October 2011
Securelist • Kurt Baumgartner • 20 Oct 2011

Overshadowed by the Duqu madness yesterday, Oracle released a slew of critical updates (please see “Related Links” in the right column of this page). Most interesting, but perhaps with little impact, is the Java SE BEAST update. Oracle claims to have pushed 57 different fixes across their product lines, including patches for Java and their virtualization Sun Ray product. But the hottest thing to talk about, of course, is the patch closing up CVE-2011-3389, or holes in the JSSE. The BEAST res...

Read more...

References

CWE-326http://www.opera.com/docs/changelogs/unix/1151/http://www.securityfocus.com/bid/49388http://www.opera.com/docs/changelogs/windows/1151/http://www.opera.com/docs/changelogs/mac/1151/http://osvdb.org/74829http://secunia.com/advisories/45791http://www.securitytracker.com/id?1025997http://eprint.iacr.org/2004/111https://bugzilla.redhat.com/show_bug.cgi?id=737506http://ekoparty.org/2011/juliano-rizzo.phphttp://www.imperialviolet.org/2011/09/23/chromeandbeast.htmlhttps://bugzilla.novell.com/show_bug.cgi?id=719047http://www.insecure.cl/Beast-SSL.rarhttp://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.htmlhttp://eprint.iacr.org/2006/136http://isc.sans.edu/diary/SSL+TLS+part+3+/11635http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issuehttp://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspxhttp://technet.microsoft.com/security/advisory/2588513http://support.apple.com/kb/HT4999http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.htmlhttp://support.apple.com/kb/HT5001http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.htmlhttp://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.htmlhttp://www.securitytracker.com/id?1026103http://www.securityfocus.com/bid/49778http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspxhttp://www.redhat.com/support/errata/RHSA-2011-1384.htmlhttp://vnhacker.blogspot.com/2011/09/beast.htmlhttp://www.kb.cert.org/vuls/id/864643http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.htmlhttp://www.ibm.com/developerworks/java/jdk/alerts/http://www.opera.com/docs/changelogs/windows/1160/http://www.opera.com/docs/changelogs/mac/1160/http://www.opera.com/support/kb/view/1004/http://www.opera.com/docs/changelogs/unix/1160/http://www.redhat.com/support/errata/RHSA-2012-0006.htmlhttp://support.apple.com/kb/HT5130http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlhttp://marc.info/?l=bugtraq&m=132872385320240&w=2http://support.apple.com/kb/HT5281http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlhttp://lists.apple.com/archives/security-announce/2012/Jul/msg00001.htmlhttp://support.apple.com/kb/HT5501http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.htmlhttp://secunia.com/advisories/49198http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.htmlhttps://hermes.opensuse.org/messages/13155432https://hermes.opensuse.org/messages/13154861http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.htmlhttp://marc.info/?l=bugtraq&m=132750579901589&w=2http://secunia.com/advisories/48692https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmailhttp://secunia.com/advisories/48948http://secunia.com/advisories/48915http://www.us-cert.gov/cas/techalerts/TA12-010A.htmlhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862http://secunia.com/advisories/55351http://secunia.com/advisories/55322http://secunia.com/advisories/55350http://www.securitytracker.com/id/1029190http://rhn.redhat.com/errata/RHSA-2013-1455.htmlhttp://lists.apple.com/archives/security-announce/2013/Oct/msg00004.htmlhttp://www.ubuntu.com/usn/USN-1263-1http://support.apple.com/kb/HT6150http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.htmlhttp://downloads.asterisk.org/pub/security/AST-2016-001.htmlhttp://marc.info/?l=bugtraq&m=134254957702612&w=2http://marc.info/?l=bugtraq&m=133365109612558&w=2http://marc.info/?l=bugtraq&m=133728004526190&w=2http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdfhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752http://marc.info/?l=bugtraq&m=134254866602253&w=2http://www.mandriva.com/security/advisories?name=MDVSA-2012:058http://rhn.redhat.com/errata/RHSA-2012-0508.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.htmlhttp://security.gentoo.org/glsa/glsa-201203-02.xmlhttp://secunia.com/advisories/48256http://www.securitytracker.com/id?1026704http://secunia.com/advisories/47998http://www.debian.org/security/2012/dsa-2398http://curl.haxx.se/docs/adv_20120124B.htmlhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdfhttp://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.htmlhttps://nvd.nist.govhttps://usn.ubuntu.com/1263-2/https://www.kb.cert.org/vuls/id/864643
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook