CVE-2005-2969

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.7 through 0.9.7h OpenSSL versions 0.9.8 through 0.9.8a

Description The issue concerns a problem in the SSL/TLS server implementation when using the SSL OP MSIE SSLV2 RSA PADDING option, which disables a necessary verification step. This allows remote attackers to force a client and server to use a weaker protocol than needed via a man-in-the-middle attack. The vulnerability could also enable an unauthenticated, remote attacker to bypass security restrictions or cause a denial of service, potentially allowing access to encrypted data without knowledge of the encryption key.

Recommendations For OpenSSL versions 0.9.7 through 0.9.7h, update to version 0.9.7h or later to resolve the issue. For OpenSSL versions 0.9.8 through 0.9.8a, update to version 0.9.8a or later to resolve the issue. As a temporary workaround, consider disabling the SSL OP MSIE SSLV2 RSA PADDING option until a patch is available.