Lucene search

K
f5F5F5:K13400
HistoryJun 16, 2015 - 12:00 a.m.

K13400 : SSL 3.0/TLS 1.0 vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870

2015-06-1600:00:00
my.f5.com
46

AI Score

6.2

Confidence

Low

EPSS

0.009

Percentile

82.4%

Security Advisory Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by way of a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, also known as a BEAST attack.

The CBC mode in the TLS protocol, as used in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and other products, allows remote web servers to obtain plaintext data by triggering multiple requests to a third-party HTTPS server and sniffing the network during the resulting HTTPS session, aka “TLS Protocol Vulnerability.”

Impact

This vulnerability discloses data over an SSL session to an attacker.