PT-2014-5421 · Nginx+2 · Nginx+2

Antoine Delignat-Lavaud

Published

2014-09-17

Updated

2024-06-15

CVE-2014-3616

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions nginx versions 0.5.6 through 1.7.4

Description The issue allows remote attackers with certain privileges to conduct virtual host confusion attacks by reusing a cached SSL session for an unrelated context when the same shared ssl session cache or ssl session ticket key is used for multiple servers.

Recommendations For versions 0.5.6 through 1.7.4, consider using unique ssl session cache or ssl session ticket key for each server to prevent the reuse of cached SSL sessions across different contexts.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

ALT-PU-2014-2153

CVE-2014-3616

DLA-55-1

DSA-3029-1

MGASA-2014-0427

OPENSUSE-SU-2024:10044-1

USN-2351-1

Affected Products

Alt Linux

Nginx

Ubuntu

PT-2014-5421 · Nginx+2 · Nginx+2

CVE-2014-3616

Weakness Enumeration

Related Identifiers

Affected Products

References · 33