CVE-2012-4930

2012-09-1500:00:00

ubuntu.com

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

64.6%

JSON

The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome,
and other products, can perform TLS encryption of compressed data without
properly obfuscating the length of the unencrypted data, which allows
man-in-the-middle attackers to obtain plaintext HTTP headers by observing
length differences during a series of guesses in which a string in an HTTP
request potentially matches an unknown string in an HTTP header, aka a
“CRIME” attack.

Bugs

Notes

Author	Note
jdstrand	Firefox 15 disables compression For SPDY to be used with OpenSSL in any way, NPN must be available in openssl. This was not introduced until 1.0.1. No patch for upstream OpenSSL. This may be considered a flaw in the applications using OpenSSL and not OpenSSL itself.

OSVersionArchitecturePackageVersionFilename
ubuntu10.04noarchchromium-browser< 23.0.1271.97-0ubuntu0.10.04.1UNKNOWN
ubuntu11.10noarchchromium-browser< 23.0.1271.97-0ubuntu0.11.10.1UNKNOWN
ubuntu12.04noarchchromium-browser< 23.0.1271.97-0ubuntu0.12.04.1UNKNOWN
ubuntu12.10noarchfirefox< 15.0+build1-0ubuntu1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	10.04	noarch	chromium-browser	< 23.0.1271.97-0ubuntu0.10.04.1	UNKNOWN
ubuntu	11.10	noarch	chromium-browser	< 23.0.1271.97-0ubuntu0.11.10.1	UNKNOWN
ubuntu	12.04	noarch	chromium-browser	< 23.0.1271.97-0ubuntu0.12.04.1	UNKNOWN
ubuntu	12.10	noarch	firefox	< 15.0+build1-0ubuntu1	UNKNOWN