PT-2014-1702 · Gentoo+7 · Gentoo Linux+7

Publicado

2014-08-06

Atualizado

2024-06-15

CVE-2014-3511

CVSS v2.0

7.5

Alta

Vetor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 1.0.1j Gentoo Linux (affected versions not specified)

Description The issue allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. This can be exploited remotely and may lead to a violation of confidentiality, integrity, and availability of protected information. The vulnerability is in the ssl23 get client hello function in s23 srvr.c.

Recommendations For OpenSSL versions prior to 1.0.1j, update to version 1.0.1j or later to resolve the issue. As a temporary workaround, consider restricting the use of TLS 1.0 until a patch is available. Avoid using the ssl23 get client hello function in s23 srvr.c until the issue is resolved.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

ALT-PU-2014-2312

BDU:2015-00652

BDU:2015-09775

CESA-2014_1052

CVE-2014-3511

DSA-2998-1

MGASA-2014-0325

OPENSUSE-SU-2024:10271-1

OPENSUSE-SU-2024:10309-1

OPENSUSE-SU-2024:10529-1

OPENSUSE-SU-2024:11127-1

RHSA-2014:1052

RHSA-2014:1054

RHSA-2014_1052

RHSA-2015:0126

RHSA-2015:0197

SUSE-FU-2022:0445-1

SUSE-RU-2015:0769-1

SUSE-SU-2015:0546-1

SUSE-SU-2015:1185-1

USN-2308-1

Produtos afetados

Alt Linux

Centos

Gentoo Linux

Ibm Aix

Openssl

Red Hat

Suse

Ubuntu

PT-2014-1702 · Gentoo+7 · Gentoo Linux+7

CVE-2014-3511

Identificadores relacionados

Produtos afetados

Referências · 280