CERTVU:104280Multiple vulnerabilities in SSL/TLS implementations
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.959 High
EPSS
Percentile
99.4%
Overview
Multiple vulnerabilities exist in different vendors’ SSL/TLS implementations. The impacts of these vulnerabilities include remote execution of arbitrary code, denial of service, and disclosure of sensitive information.
Description
The U.K. National Infrastructure Security Co-ordination Centre (NISCC) has reported multiple vulnerabilities in different vendors’ implementations of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others. Clients and servers exchange authentication information in X.509 certificates. While the SSL and TLS protocols do not use ASN.1/BER to communicate at the application layer, they do require an ASN.1 parser to encode and decode X.509 certificates and other cryptographic elements (e.g., PKCS#1 encoded RSA values and PKCS#7 encoded S/MIME parts) at the presentation layer.
A test suite developed by NISCC has exposed vulnerabilities in a variety of SSL/TLS implementations. While most of these vulnerabilities exist in ASN.1 parsing routines, some vulnerabilities may occur elsewhere. Note that cryptographic libraries that implement SSL/TLS frequently provide more general-purpose cryptographic utility. In such libraries, it is common for ASN.1 parsing code to be shared between SSL/TLS and other cryptographic functions.
Due to the general lack of specific vulnerability information, this document covers multiple vulnerabilities in different SSL/TLS implementations. Information about individual vendors is available in the Systems Affected section. Note that VU#104280 broadly covers ASN.1 related vulnerabilities in SSL/TLS implementations other than OpenSSL. VU#255484, VU#732952, VU#380864, VU#686224, and VU#935264 are specific to OpenSSL.
Further information is available in NISCC advisory 006489/TLS.
This set of vulnerabilities is different from those described in VU#748355/CA-2002-23.
Impact
The impacts associated with these vulnerabilities include execution of arbitrary code, denial of service, and disclosure of sensitive information.
Solution
Patch or Upgrade
Apply a patch or upgrade as appropriate. Information about specific vendors is available in the Systems Affected section of this document.
Vendor Information
104280
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
AppGate Network Security AB __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
The default configuration of AppGate is not vulnerable. However some extra functionality which administrators can enable manually may cause the system to become vulnerable. For more details check the AppGate support pages at <http://www.appgate.com/support>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Apple Computer Inc. __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
Apple: Vulnerable. This is fixed in Mac OS X 10.2.8 which is available from <http://www.apple.com/support/>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Check Point __ Affected
Notified: September 30, 2003 Updated: October 22, 2003
Status
Affected
Vendor Statement
Check Point products are vulnerable to:
VU#732952 09/04/2003 OpenSSL accepts unsolicited client certificate messages
VU#380864 09/30/2003 OpenSSL contains integer overflow handling ASN.1 tags (2)
VU#255484 09/30/2003 OpenSSL contains integer overflow handling ASN.1 tags (1)
A fix will be released by Oct 27th 2003.
Check Point products are not vulnerable to:
VU#686224 09/30/2003 OpenSSL does not securely handle invalid public key when configured to ignore errors
VU#935264 09/30/2003 OpenSSL ASN.1 parser insecure memory deallocation
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Cisco Systems Inc. __ Affected
Notified: September 30, 2003 Updated: October 02, 2003
Status
Affected
Vendor Statement
Please see <<http://www.cisco.com/warp/public/707/cisco-sa-20030930-ssl.shtml>>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Conectiva __ Affected
Notified: September 30, 2003 Updated: October 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see CLSA-2003:751.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Cray Inc. __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
Cray Inc. supports OpenSSL through its Cray Open Software (COS) package. The OpenSSL version in COS 3.4 and earlier is vulnerable. Spr 726919 has been opened to address this.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Debian __ Affected
Notified: September 30, 2003 Updated: October 08, 2003
Status
Affected
Vendor Statement
Corrected OpenSSL packages are available in Debian Security Advisory 393, at <http://www.debian.org/security/2003/dsa-393>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
F5 Networks __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
F5 products BIG-IP, 3-DNS, ISMan and Firepass are vulnerable. F5 will have ready security patches for each of these products. Go to ask.f5.com for the appropriate security response instructions for your product.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
FreeBSD __ Affected
Notified: September 30, 2003 Updated: October 22, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see FreeBSD-SA-03:18.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Gentoo Linux __ Affected
Updated: October 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see <<http://www.linuxsecurity.com/advisories/gentoo_advisory-3705.html>>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Guardian Digital Inc. __ Affected
Notified: September 30, 2003 Updated: October 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see ESA-20030930-027.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Hewlett-Packard Company __ Affected
Notified: September 30, 2003 Updated: October 23, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see HPSBUX0310-286 (SSRT3622) and HPSBUX0310-284 (SSRT3622).
From NISCC/006489/OpenSSL and NISCC/006489/TLS:
At the time of writing this document, HP is investigating the potential impact to HP’s optional software products. As further information becomes available HP will provide notice of the availability of necessary patches through the standard security bulletin announcements and through your normal HP Services support channel.
HP-UX - not impacted
HP Tru64 Unix - not impacted
HP NonStop Servers - not impacted
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Hitachi __ Affected
Notified: September 30, 2003 Updated: November 11, 2003
Status
Affected
Vendor Statement
Hitachi Web Server is Vulnerable to this issue. Impact is limited to Denial of Service, but process will re-start automatically. Fixes for this issue which will be available shortly.
Hitachi GR2000 gigabit router series are NOT Vulnerable to this issue.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
IBM __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
[AIX]
The AIX Security Team is aware of the issues discussed in CERT Vulnerability Notes VU#255484, VU#380864, VU#686224, VU#935264 and VU#732952.
OpenSSL is available for AIX via the AIX Toolbox for Linux. Please note that the Toolbox is made available “as-is” and is unwarranted. The Toolbox ships with OpenSSL 0.9.6g which is vulnerable to the issues referenced above. A patched version of OpenSSL will be provided shortly and this vendor statement will be updated at that time.
Please note that OpenSSH, which is made available through the Expansion Pack is not vulnerable to these issues.
[eServer]
IBM eServer Platform Response
For information related to this and other published CERT Advisories that may relate to the IBM eServer Platforms (xSeries, iSeries, pSeries, and zSeries) please go to https://app-06.www.ibm.com/servers/resourcelink/lib03020.nsf/pages/securityalerts?OpenDocument&pathID=
In order to access this information you will require a Resource Link ID. To subscribe to Resource Link go to
<http://app-06.www.ibm.com/servers/resourcelink> and follow the steps for registration.
All questions should be refered to [email protected].
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Ingrian Networks __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
Ingrian Networks is aware of this vulnerablity and will issue a security advisory when our investigation is complete.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Juniper Networks __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
The OpenSSL code included in domestic versions of JUNOS Internet Software that runs on all M-series and T-series routers is susceptible to these vulnerabilities. The SSL library included in Releases 2.x and 3.x of SDX provisioning software for E-series routers is susceptible to these vulnerabilities.
Solution Implementation
Corrections for all the above vulnerabilities are included in all versions of JUNOS built on or after October 2, 2003. Customers should contact Juniper Networks Technical Assistance Center (JTAC) for instructions on obtaining and installing the corrected code.
SDX software built on or after October 2, 2003, contain SSL libraries with corrected code. Contact JTAC for instructions on obtaining and installing the corrected code.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
MandrakeSoft __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
The vulnerabilities referenced by VU#255484, VU#380864, and VU#935264 have been corrected by packages released in our MDKSA-2003:098 advisory.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
NetBSD __ Affected
Notified: September 30, 2003 Updated: October 22, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see NetBSD-SA2003-017.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Nortel Networks __ Affected
Notified: September 30, 2003 Updated: October 24, 2003
Status
Affected
Vendor Statement
The SSL implementation of the following Nortel Networks products is based on OpenSSL and may be affected by the vulnerabilities identified in NISCC Vulnerability Advisory 006489/OpenSSL:
Alteon Switched Firewall
Alteon iSD - SSL Accelerator
Contivity
Succession Communication Server 2000 - Compact (CS2K - Compact)
Preside Service Provisioning
Other Nortel Networks products with SSL implementations are being reviewed and this Vendor Statement may be revised.
For more information please contact
North America: 1-800-4NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907 9009
Contacts for other regions are available at <http://www.nortelnetworks.com/help/contact/global/>
Or visit the eService portal at <http://www.nortelnetworks.com/cs> under Advanced Search.
If you are a channel partner, more information can be found under <http://www.nortelnetworks.com/pic> under Advanced Search
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Novell __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
Novell is reviewing our application portfolio to identify products affected by the vulnerabilities reported by the NISCC. We have the patched OpenSSL code and are reviewing and testing it internally, and preparing patches for our products that are affected. We expect the first patches to become available via our Security Alerts web site (<http://support.novell.com/security-alerts>) during the week of 6 Oct 2003. Customers are urged to monitor our web site for patches to versions of our products that they use and apply them expeditiously.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
OpenBSD __ Affected
Notified: September 30, 2003 Updated: October 22, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see <<http://www.openbsd.org/errata.html#asn1>>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
RSA Security __ Affected
Notified: September 30, 2003 Updated: October 22, 2003
Status
Affected
Vendor Statement
The issues raised in this vulnerability report have been analysed in terms of impact on RSA BSAFE SSL-C, RSA BSAFE SSL-C Micro Edition, and RSA BSAFE Cert-C Micro Edition. None of these issues have been determined by RSA Security to be security critical, the products are either not impacted by the vulnerabilities raised or the impact is limited to additional Denial of Sevice opportunities.
As part of RSA Security standard product support lifecycle, fixes for those vulnerabilities which are relevant for each product listed will be incorporated in the next maintenance release. RSA Security customers with current support and maintenance contracts may request a software upgrade for new product versions online at <<https://www.rsasecurity.com/go/form_ins.html>>.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Red Hat Inc. __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
Red Hat distributes OpenSSL 0.9.6 in various Red Hat Linux distributions and with the Stronghold secure web server. Updated packages which contain backported patches for these issues are available along with our advisories at the URL below. Users of the Red Hat Network can update their systems using the ‘up2date’ tool.
Red Hat Enterprise Linux:
<http://rhn.redhat.com/errata/RHSA-2003-293.html>
Red Hat Linux 7.1, 7.2, 7.3, 8.0:
<http://rhn.redhat.com/errata/RHSA-2003-291.html>
Stronghold 4 cross-platform:
<http://rhn.redhat.com/errata/RHSA-2003-290.html>
Red Hat distributes OpenSSL 0.9.7 in Red Hat Linux 9. Updated packages which contain backported patches for these issues are available along with our advisory at the URL below. Users of the Red Hat Network can update their systems using the ‘up2date’ tool.
Red Hat Linux 9:
<http://rhn.redhat.com/errata/RHSA-2003-292.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
SCO __ Affected
Notified: September 30, 2003 Updated: October 03, 2003
Status
Affected
Vendor Statement
We are aware of the issue and are diligently working on a fix. [CSSA-2003-SCO.25]
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
SGI __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
SGI acknowledges receiving the vulnerabilities reported by CERT and NISCC. CAN-2003-0543 [VU#255484], CAN-2003-0544 [VU#380864] and CAN-2003-0545 [VU#935264] have been addressed by SGI Security Advisory 20030904-01-P:
<ftp://patches.sgi.com/support/free/security/advisories/20030904-01-P.asc>
No further information is available at this time.
For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported SGI operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on <http://www.sgi.com/support/security/>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
SSH Communications Security __ Affected
Notified: September 30, 2003 Updated: October 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see <http://www.ssh.com/company/newsroom/article/476> and <http://www.ssh.com/company/newsroom/article/477>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Secure Computing Corporation __ Affected
Notified: September 30, 2003 Updated: October 15, 2003
Status
Affected
Vendor Statement
Sidewinder® and Sidewinder G2 Firewall™ (including all appliances)
Sidewinder v5.x and Sidewinder G2 v6.x are not vulnerable to the arbitrary code execution attacks described in this advisory. The Sidewinder’s embedded Type Enforcement technology strictly limits the capabilities of each component which implements SSL. Any attempt to exploit this vulnerability in the SSL library code running on the firewall results in an automatic termination of the attacker’s connection and multiple Type Enforcement alarms.
Any component attacked by the denial of service (DOS) attacks described in this advisory is automatically restarted by the firewall’s watchdog process without interuption of any active connections. However, under some circumstances this DOS could cause a delay in managing the firewall.
To mitigate this inconvenience, customers should contact Secure Computing Customer Support.
Gauntlet™ & e-ppliance
Gauntlet and e-ppliance do not include any components based on OpenSSL, and are thus immune to these vulnerabilities.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Slackware __ Affected
Updated: October 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see SSA:2003-273-01.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Stonesoft __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
Stonesoft has published a security advisory that addresses the issues in vulnerability notes VU#255484 and VU#104280. The advisory is at <http://www.stonesoft.com/document/art/3040.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Stunnel __ Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Affected
Vendor Statement
Stunnel requires the OpenSSL libraries for compilation (POSIX) or OpenSSL DLLs for runtime operation (Windows). While Stunnel itself is not vulnerable, it’s dependence on OpenSSL means that your installation likely is vulnerable.
If you compile from source, you need to install a non-vulnerable version of OpenSSL and recompile Stunnel.
If you use the compiled Windows DLLs from stunnel.org, you should download new versions which are not vulnerable. OpenSSL 0.9.7c DLLs are available at <http://www.stunnel.org/download/stunnel/win32/openssl-0.9.7c/>
No new version of Stunnel source or executable will be made available, because the problems are inside OpenSSL – Stunnel itself does not have the vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
SuSE Inc. __ Affected
Notified: September 30, 2003 Updated: October 02, 2003
Status
Affected
Vendor Statement
All SuSE products are affected. Update packages are being tested and will be published on Wednesday, October 1st. [SuSE-SA:2003:043]
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Sun Microsystems Inc. __ Affected
Notified: September 30, 2003 Updated: October 24, 2003
Status
Affected
Vendor Statement
Sun is currently investigating Solaris 7, 8, and 9 to determine the full potential impact of these SSL/TLS vulnerabilities.
The Solaris Secure Shell daemon, sshd(1M), shipped with Solaris 9, is not affected by these vulnerabilities.
Java Secure Sockets Extension 1.0.x and J2SE 1.4.x are also not affected.
Sun Linux and Sun Cobalt both ship vulnerable versions of OpenSSL, a Sun Alert has been published here:
<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/57100>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Tawie Server Linux __ Affected
Updated: October 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see TSL-2003-0001.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
TurboLinux __ Affected
Notified: September 30, 2003 Updated: October 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Pleas see TLSA-2003-22.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Wirex __ Affected
Notified: September 30, 2003 Updated: October 02, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see IMNX-2003-7±022-01.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Clavister __ Not Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Not Affected
Vendor Statement
Clavister Firewall: Not vulnerable
As of version 8.3, Clavister Firewall implements an optional HTTP/S server for purposes of user authentication. However, since this implementation does not support client certificates and has no ASN.1 parser code, there can be no ASN.1-related vulnerabilities as far as SSL is concerned.
Earlier versions of Clavister Firewall do not implement any SSL services.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Fujitsu __ Not Affected
Notified: September 30, 2003 Updated: October 08, 2003
Status
Not Affected
Vendor Statement
Fujitsu’s UXP/V o.s. is not affected by the problem in VU#255484 and 104280 because it does not support the SSL/TLS.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
NEC Corporation __ Not Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Not Affected
Vendor Statement
Subject: VU#104280
sent on October 1, 2003
[Server Products]
* EWS/UP 48 Series operating system
- is NOT vulnerable.
It doesn’t include SSL/TLS implementation.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
OpenSSH Not Affected
Notified: September 30, 2003 Updated: October 22, 2003
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Pragma Systems __ Not Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Not Affected
Vendor Statement
Pragma Systems SecureShell server is not impacted by these vulnerabilites, because we do not implement SSL or TLS protocols.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Riverstone Networks __ Not Affected
Notified: September 30, 2003 Updated: October 01, 2003
Status
Not Affected
Vendor Statement
Riverstone is not vulnerable to this.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
VanDyke Software Inc. __ Not Affected
Updated: October 08, 2003
Status
Not Affected
Vendor Statement
VanDyke Software products are not subject to any of the vulnerabilities presented in this advisory due to the fact that VanDyke products do not use SSL/TLS in any form.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
cryptlib __ Not Affected
Notified: September 30, 2003 Updated: October 22, 2003
Status
Not Affected
Vendor Statement
cryptlib does not appear to be vulnerable to the malformed ASN.1 data, either with or without the use of its internal ASN.1 firewall.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
3Com Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
AT&T Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Alcatel Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Apache Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Apache-SSL Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Avaya Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Bitvise Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Borderware Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Computer Associates Unknown
Notified: September 30, 2003 Updated: October 08, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Covalent Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Crypto++ Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Data General Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Entrust Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Extreme Networks Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Foundry Networks Inc. Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
GNU Libgcrypt Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
GNU Privacy Guard Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
GNU TLS Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Global Technology Associates Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
IAIK Unknown
Notified: October 24, 2003 Updated: October 27, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Intel Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Intoto Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Linksys Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Lotus Software Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Lucent Technologies Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Microsoft Corporation Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
MontaVista Software Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Neoteris Unknown
Notified: October 27, 2003 Updated: October 27, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
NetScreen Technologies Inc. Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Netscape (AOL) NSS Unknown
Notified: November 05, 2003 Updated: November 13, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Network Appliance Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Nokia Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
OpenSSL __ Unknown
Notified: September 30, 2003 Updated: October 22, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see <<http://www.openssl.org/news/secadv_20030930.txt>>. Note that VU#104280 broadly covers ASN.1 related vulnerabilities in SSL/TLS implementations other than OpenSSL. VU#255484, VU#732952, VU#380864, VU#686224, and VU#935264 are specific to OpenSSL.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Openwall GNU/*/Linux __ Unknown
Notified: September 30, 2003 Updated: October 01, 2003
Status
Unknown
Vendor Statement
Openwall GNU/*/Linux currently uses OpenSSL 0.9.6 branch and thus was affected by the ASN.1 parsing and client certificate handling vulnerabilities pertaining to those versions of OpenSSL. It was not affected by the potentially more serious incorrect memory deallocation vulnerability (VU#935264, CVE CAN-2003-0545) that is specific to OpenSSL 0.9.7.
Owl-current as of 2003/10/01 has been updated to OpenSSL 0.9.6k, thus correcting the vulnerabilities.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Oracle Corporation __ Unknown
Notified: September 30, 2003 Updated: October 02, 2003
Status
Unknown
Vendor Statement
From NISCC/006489/OpenSSL and NISCC/006489/TLS:
Oracle Corporation is aware of this vulnerability, and we are investigating.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Sequent Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Sony Corporation Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Symantec Corporation Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Unisys Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
WatchGuard Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
Wind River Systems Inc. Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
lsh Unknown
Notified: September 30, 2003 Updated: October 08, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
mod_ssl Unknown
Notified: September 30, 2003 Updated: September 30, 2003
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23104280 Feedback>).
View all 86 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 0 | AV:–/AC:–/Au:–/C:–/I:–/A:– |
| Temporal | 0 | E:Not Defined (ND)/RL:Not Defined (ND)/RC:Not Defined (ND) |
| Environmental | 0 | CDP:Not Defined (ND)/TD:Not Defined (ND)/CR:Not Defined (ND)/IR:Not Defined (ND)/AR:Not Defined (ND) |
References
- <http://www.uniras.gov.uk/vuls/2003/006489/tls.htm>
- <http://wp.netscape.com/eng/ssl3/>
- <http://www.ietf.org/rfc/rfc2246.txt>
- <http://www.itu.int/ITU-T/studygroups/com10/languages/>
- <http://www.rsasecurity.com/rsalabs/pkcs/>
Acknowledgements
This vulnerability was discovered and researched by NISCC.
This document was written by Art Manion.
Other Information
| CVE IDs: | None |
|---|---|
| CERT Advisory: | CA-2003-26 Severity Metric: |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.959 High
EPSS
Percentile
99.4%