ssl/s2_srvr.c in OpenSSL 1.0.1 prior to 1.0.1r and 1.0.2 prior to 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle malicious users to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
oracle tuxedo 12.1.1.0 |
||
oracle exalogic infrastructure 1.0 |
||
oracle exalogic infrastructure 2.0 |
||
oracle peoplesoft enterprise peopletools 8.54 |
||
oracle peoplesoft enterprise peopletools 8.53 |
||
oracle peoplesoft enterprise peopletools 8.55 |
||
openssl openssl 1.0.1m |
||
openssl openssl 1.0.2a |
||
openssl openssl 1.0.1j |
||
openssl openssl 1.0.1 |
||
openssl openssl 1.0.1h |
||
openssl openssl 1.0.2e |
||
openssl openssl 1.0.2b |
||
openssl openssl 1.0.1c |
||
openssl openssl 1.0.1g |
||
openssl openssl 1.0.1a |
||
openssl openssl 1.0.1d |
||
openssl openssl 1.0.2c |
||
openssl openssl 1.0.2 |
||
openssl openssl 1.0.1p |
||
openssl openssl 1.0.1k |
||
openssl openssl 1.0.1b |
||
openssl openssl 1.0.1n |
||
openssl openssl 1.0.1q |
||
openssl openssl 1.0.1e |
||
openssl openssl 1.0.1l |
||
openssl openssl 1.0.1f |
||
openssl openssl 1.0.1o |
||
openssl openssl 1.0.1i |
||
openssl openssl 1.0.2d |
||
oracle oss support tools 8.11.16.3.8 |
||
oracle vm virtualbox 5.0.16 |
Feet up for the many, head's down and patch for the rest.
OpenSSL maintainers have pushed a pair of patches, crushing a dangerous but uncommon bug that allows HTTPS to be unravelled while also hardening servers against downgrade attacks. Affected servers are open to key recovery attacks only if it runs certain Digital Signature Algorithm and static Diffie-Hellman key exchange subgroups, while running OpenSSL version 1.0.2. The high severity bug (CVE-2016-0701) revealed by Adobe engineer Antonio Sanso and which is fixed in version 1.0.2f. Carnegie Mello...