PT-2016-1595 · Openssl+7 · Openssl+7
Nimrod Aviram
+1
·
Publicado
2016-01-28
·
Atualizado
2024-06-15
·
CVE-2015-3197
CVSS v3.1
5.9
Média
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions 1.0.1 before 1.0.1r
OpenSSL versions 1.0.2 before 1.0.2f
Description
The issue is related to errors in cryptographic transformations in the OpenSSL library, specifically in the ssl/s2 srvr.c function. This can be exploited by a remote attacker to compromise the cryptographic protection mechanism by performing computations on SSLv2 traffic, related to the
get client master key and get client hello functions. The vulnerability makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms.Recommendations
For OpenSSL versions 1.0.1 before 1.0.1r, update to version 1.0.1r or later.
For OpenSSL versions 1.0.2 before 1.0.2f, update to version 1.0.2f or later.
As a temporary workaround, consider disabling the use of SSLv2 traffic until a patch is available. Restrict access to the
get client master key and get client hello functions to minimize the risk of exploitation.Exploit
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Centos
Freebsd
Ibm Aix
Openssl
Red Hat
Suse
Virtualbox