CVE-2011-4108

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 1.0.0f OpenSSL versions prior to 1.0.0g OpenSSL version 1.0.0 OpenSSL-debuginfo version 1.0.0 OpenSSL-devel version 1.0.0 OpenSSL-static version 1.0.0

Description The issue affects the confidentiality, integrity, and availability of protected information. Exploitation can be done remotely. The DTLS implementation in OpenSSL performs a MAC check only if certain padding is valid, making it easier for remote attackers to recover plaintext via a padding oracle attack. Additionally, the OpenSSL library implementation is vulnerable to a plain text recovery attack by performing timing analysis of the time required to decrypt encrypted data.

Recommendations For OpenSSL versions prior to 1.0.0f, update to version 1.0.0f or later. For OpenSSL versions prior to 1.0.0g, update to version 1.0.0g or later. For OpenSSL version 1.0.0, update to a newer version. For OpenSSL-debuginfo version 1.0.0, update to a newer version. For OpenSSL-devel version 1.0.0, update to a newer version. For OpenSSL-static version 1.0.0, update to a newer version. As a temporary workaround, consider restricting access to the DTLS implementation until a patch is available. Avoid using the DTLS implementation in the affected API endpoints until the issue is resolved.