CVE-2011-3389

Sažetak

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Reference

http://www.opera.com/docs/changelogs/unix/1151/
http://www.securityfocus.com/bid/49388
http://www.opera.com/docs/changelogs/windows/1151/
http://www.opera.com/docs/changelogs/mac/1151/
http://osvdb.org/74829
http://secunia.com/advisories/45791
http://www.securitytracker.com/id?1025997
http://eprint.iacr.org/2004/111
https://bugzilla.redhat.com/show_bug.cgi?id=737506
http://ekoparty.org/2011/juliano-rizzo.php
http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
https://bugzilla.novell.com/show_bug.cgi?id=719047
http://www.insecure.cl/Beast-SSL.rar
http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
http://eprint.iacr.org/2006/136
http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
http://technet.microsoft.com/security/advisory/2588513
http://support.apple.com/kb/HT4999
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
http://support.apple.com/kb/HT5001
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
http://www.securitytracker.com/id?1026103
http://www.securityfocus.com/bid/49778
http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
http://www.redhat.com/support/errata/RHSA-2011-1384.html
http://vnhacker.blogspot.com/2011/09/beast.html
http://www.kb.cert.org/vuls/id/864643
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://www.ibm.com/developerworks/java/jdk/alerts/
http://www.opera.com/docs/changelogs/windows/1160/
http://www.opera.com/docs/changelogs/mac/1160/
http://www.opera.com/support/kb/view/1004/
http://www.opera.com/docs/changelogs/unix/1160/
http://www.redhat.com/support/errata/RHSA-2012-0006.html
http://support.apple.com/kb/HT5130
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
http://marc.info/?l=bugtraq&m=132872385320240&w=2
http://support.apple.com/kb/HT5281
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
http://support.apple.com/kb/HT5501
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
http://secunia.com/advisories/49198
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
https://hermes.opensuse.org/messages/13155432
https://hermes.opensuse.org/messages/13154861
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
http://marc.info/?l=bugtraq&m=132750579901589&w=2
http://secunia.com/advisories/48692
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
http://secunia.com/advisories/48948
http://secunia.com/advisories/48915
http://www.us-cert.gov/cas/techalerts/TA12-010A.html
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
http://secunia.com/advisories/55351
http://secunia.com/advisories/55322
http://secunia.com/advisories/55350
http://www.securitytracker.com/id/1029190
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
http://www.ubuntu.com/usn/USN-1263-1
http://support.apple.com/kb/HT6150
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://downloads.asterisk.org/pub/security/AST-2016-001.html
http://marc.info/?l=bugtraq&m=134254957702612&w=2
http://marc.info/?l=bugtraq&m=133365109612558&w=2
http://marc.info/?l=bugtraq&m=133728004526190&w=2
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
http://marc.info/?l=bugtraq&m=134254866602253&w=2
http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
http://rhn.redhat.com/errata/RHSA-2012-0508.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
http://security.gentoo.org/glsa/glsa-201203-02.xml
http://secunia.com/advisories/48256
http://www.securitytracker.com/id?1026704
http://secunia.com/advisories/47998
http://www.debian.org/security/2012/dsa-2398
http://curl.haxx.se/docs/adv_20120124B.html
https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

CVSS

Base:	4.3
Impact:	2.9
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:M/Au:N/C:P/I:N/A:N

Zadnje važnije ažuriranje

29-11-2022 - 15:56

Objavljeno

06-09-2011 - 19:55