Published: 06/01/2012 Updated: 23/08/2016

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

VMScore: 384

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

The DTLS implementation in OpenSSL prior to 0.9.8s and 1.x prior to 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote malicious users to recover plaintext via a padding oracle attack.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openssl openssl 0.9.8o
openssl openssl 0.9.8n
openssl openssl 0.9.8g
openssl openssl 0.9.8f
openssl openssl 0.9.7m
openssl openssl 0.9.7l
openssl openssl 0.9.7k
openssl openssl 0.9.7d
openssl openssl 0.9.7c
openssl openssl 0.9.6j
openssl openssl 0.9.6i
openssl openssl 0.9.6b
openssl openssl
openssl openssl 0.9.8k
openssl openssl 0.9.8j
openssl openssl 0.9.8c
openssl openssl 0.9.8b
openssl openssl 0.9.7h
openssl openssl 0.9.7g
openssl openssl 0.9.7
openssl openssl 0.9.6m
openssl openssl 0.9.6g
openssl openssl 0.9.6f
openssl openssl 0.9.5
openssl openssl 0.9.4
openssl openssl 0.9.6a
openssl openssl 0.9.8m
openssl openssl 0.9.8l
openssl openssl 0.9.8e
openssl openssl 0.9.8d
openssl openssl 0.9.7j
openssl openssl 0.9.7i
openssl openssl 0.9.7b
openssl openssl 0.9.7a
openssl openssl 0.9.6h
openssl openssl 0.9.6
openssl openssl 0.9.5a
openssl openssl 0.9.8q
openssl openssl 0.9.8p
openssl openssl 0.9.8i
openssl openssl 0.9.8h
openssl openssl 0.9.8a
openssl openssl 0.9.8
openssl openssl 0.9.7f
openssl openssl 0.9.7e
openssl openssl 0.9.6l
openssl openssl 0.9.6k
openssl openssl 0.9.6e
openssl openssl 0.9.6d
openssl openssl 0.9.6c
openssl openssl 0.9.2b
openssl openssl 0.9.1c
openssl openssl 1.0.0b
openssl openssl 1.0.0a
openssl openssl 1.0.0
openssl openssl 1.0.0d
openssl openssl 1.0.0c

Multiple vulnerabilities exist in OpenSSL that could expose sensitive information or cause applications to crash ...

Synopsis Moderate: openssl security update Type/Severity Security Advisory: Moderate Topic Updated openssl packages that fix multiple security issues are nowavailable for Red Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerabili ...

Synopsis Moderate: openssl security update Type/Severity Security Advisory: Moderate Topic Updated openssl packages that fix multiple security issues are nowavailable for Red Hat Enterprise Linux 6The Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerabili ...

Debian Bug report logs - #645805 Potential DTLS crasher bug Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@listsaliothdebianorg>; Source for openssl is src:openssl (PTS, buildd, popcon) Reported by: Florian Weimer <fw@denebenyode> Date: Tue, 18 Oct 2011 18:27:02 UTC Severity: ...

Debian Bug report logs - #650621 CVE-2011-4354: OpenSSL 098g (32-bit builds) bug leaks ECC private keys Package: openssl; Maintainer for openssl is Debian OpenSSL Team <pkg-openssl-devel@listsaliothdebianorg>; Source for openssl is src:openssl (PTS, buildd, popcon) Reported by: Luciano Bello <luciano@debianorg> ...

Several vulnerabilities were discovered in OpenSSL, an implementation of TLS and related protocols The Common Vulnerabilities and Exposures project identifies the following vulnerabilities: CVE-2011-4108 The DTLS implementation performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintex ...

It was discovered that the Datagram Transport Layer Security (DTLS) protocol implementation in OpenSSL leaked timing information when performing certain operations A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a DTLS server as a padding oracle (CVE-2011-4108) An information leak flaw was ...

CWE-310 http://www.isg.rhul.ac.uk/~kp/dtls.pdf http://www.openssl.org/news/secadv_20120104.txt http://www.mandriva.com/security/advisories?name=MDVSA-2012:006 http://www.mandriva.com/security/advisories?name=MDVSA-2012:007 http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.html http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.html http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041 http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc http://secunia.com/advisories/48528 http://marc.info/?l=bugtraq&m=134039053214295&w=2 http://rhn.redhat.com/errata/RHSA-2012-1306.html http://rhn.redhat.com/errata/RHSA-2012-1307.html http://rhn.redhat.com/errata/RHSA-2012-1308.html http://marc.info/?l=bugtraq&m=132750648501816&w=2 http://www.debian.org/security/2012/dsa-2390 http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html http://support.apple.com/kb/HT5784 http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html http://www.kb.cert.org/vuls/id/737740 http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564 http://secunia.com/advisories/57260 http://secunia.com/advisories/57353 http://marc.info/?l=bugtraq&m=133951357207000&w=2 https://security.paloaltonetworks.com/CVE-2011-4108 https://usn.ubuntu.com/1357-1/https://nvd.nist.gov https://www.kb.cert.org/vuls/id/737740

CVE-2011-4108

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect