CVE-2011-3389

medium

Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

References

http://www.opera.com/docs/changelogs/unix/1151/

http://www.securityfocus.com/bid/49388

http://www.opera.com/docs/changelogs/windows/1151/

http://www.opera.com/docs/changelogs/mac/1151/

http://osvdb.org/74829

http://secunia.com/advisories/45791

http://www.securitytracker.com/id?1025997

http://eprint.iacr.org/2004/111

https://bugzilla.redhat.com/show_bug.cgi?id=737506

http://ekoparty.org/2011/juliano-rizzo.php

http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

https://bugzilla.novell.com/show_bug.cgi?id=719047

http://www.insecure.cl/Beast-SSL.rar

http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html

http://eprint.iacr.org/2006/136

http://isc.sans.edu/diary/SSL+TLS+part+3+/11635

http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue

http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/

http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx

http://technet.microsoft.com/security/advisory/2588513

http://support.apple.com/kb/HT4999

http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

http://support.apple.com/kb/HT5001

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html

http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html

http://www.securitytracker.com/id?1026103

http://www.securityfocus.com/bid/49778

http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx

http://www.redhat.com/support/errata/RHSA-2011-1384.html

http://vnhacker.blogspot.com/2011/09/beast.html

http://www.kb.cert.org/vuls/id/864643

http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html

http://www.ibm.com/developerworks/java/jdk/alerts/

http://www.opera.com/docs/changelogs/windows/1160/

http://www.opera.com/docs/changelogs/mac/1160/

http://www.opera.com/support/kb/view/1004/

http://www.opera.com/docs/changelogs/unix/1160/

http://www.redhat.com/support/errata/RHSA-2012-0006.html

http://support.apple.com/kb/HT5130

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

http://marc.info/?l=bugtraq&m=132872385320240&w=2

http://support.apple.com/kb/HT5281

http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html

http://support.apple.com/kb/HT5501

http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

http://secunia.com/advisories/49198

http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html

https://hermes.opensuse.org/messages/13155432

https://hermes.opensuse.org/messages/13154861

http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html

http://marc.info/?l=bugtraq&m=132750579901589&w=2

http://secunia.com/advisories/48692

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail

http://secunia.com/advisories/48948

http://secunia.com/advisories/48915

http://www.us-cert.gov/cas/techalerts/TA12-010A.html

https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862

http://secunia.com/advisories/55351

http://secunia.com/advisories/55322

http://secunia.com/advisories/55350

http://www.securitytracker.com/id/1029190

http://rhn.redhat.com/errata/RHSA-2013-1455.html

http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html

http://www.ubuntu.com/usn/USN-1263-1

http://support.apple.com/kb/HT6150

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

http://downloads.asterisk.org/pub/security/AST-2016-001.html

http://marc.info/?l=bugtraq&m=134254957702612&w=2

http://marc.info/?l=bugtraq&m=133365109612558&w=2

http://marc.info/?l=bugtraq&m=133728004526190&w=2

http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752

http://marc.info/?l=bugtraq&m=134254866602253&w=2

http://www.mandriva.com/security/advisories?name=MDVSA-2012:058

http://rhn.redhat.com/errata/RHSA-2012-0508.html

http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html

http://security.gentoo.org/glsa/glsa-201203-02.xml

http://secunia.com/advisories/48256

http://www.securitytracker.com/id?1026704

http://secunia.com/advisories/47998

http://www.debian.org/security/2012/dsa-2398

http://curl.haxx.se/docs/adv_20120124B.html

https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006

https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Details

Source: MITRE

Published: 2011-09-06

Updated: 2021-07-23

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM