ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does
not prevent use of disabled ciphers, which makes it easier for
man-in-the-middle attackers to defeat cryptographic protection mechanisms
by performing computations on SSLv2 traffic, related to the
get_client_master_key and get_client_hello functions.

Notes

Author	Note
mdeslaur	openssl in Ubuntu is compiled with no-ssl2

References

launchpad.net/bugs/cve/CVE-2015-3197

nvd.nist.gov/vuln/detail/CVE-2015-3197

security-tracker.debian.org/tracker/CVE-2015-3197

www.cve.org/CVERecord?id=CVE-2015-3197

www.openssl.org/news/secadv/20160128.txt

f5 2

hackerone 1

nessus 47

ibm 34

openvas 43

freebsd_advisory 1

debiancve 1

prion 2

veracode 2

slackware 1

openssl 2

osv 1

debian 1

cve 2

openwrt 3

altlinux 4

freebsd 1

fedora 3

thn 1

aix 1

cert 1

nodejsblog 2

redhat 11

mageia 1

cisco 1

symantec 1

seebug 1

archlinux 2

kaspersky 1

centos 3

oraclelinux 4

amazon 2

nmap 1

gentoo 1

suse 13

arista 1

SOL33209124 - OpenSSL vulnerability CVE-2015-3197

2016-01-28 00:00:00

K33209124 : OpenSSL vulnerability CVE-2015-3197

2016-01-29 00:00:00

hackerone

Internet Bug Bounty: SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

2016-09-07 17:41:26

nessus

Debian DLA-421-1 : openssl security update

2016-02-22 00:00:00

openSUSE Security Update : openssl (openSUSE-2016-203)

2016-02-15 00:00:00

Slackware 14.0 / 14.1 / current : openssl (SSA:2016-034-03)

2016-02-04 00:00:00

ibm

Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-3197 )

2021-06-08 22:18:27

Security Bulletin: : Vulnerabilities in OpenSSL affect IBM Security Guardium (CVE-2015-3197)

2018-06-16 21:42:56

Security Bulletin: Vulnerability in OpenSSL affects IBM Sterling Connect:Express for UNIX (CVE-2015-3197)

2020-07-24 22:49:37

openvas

Oracle Virtualbox Unspecified Vulnerability-02 (Apr 2016) - Linux

2016-04-25 00:00:00

Extreme ExtremeXOS OpenSSL Vulnerability (VN-2016-002)

2016-11-29 00:00:00

Debian: Security Advisory (DLA-421-1)

2023-03-08 00:00:00

freebsd_advisory

FreeBSD-SA-16:11.openssl

2016-01-30 00:00:00

debiancve

CVE-2015-3197

2016-02-15 02:59:00

prion

Design/Logic Flaw

2016-02-15 02:59:00

Design/Logic Flaw

2016-01-29 11:59:00

veracode

Cipher Bypass

2017-02-10 00:52:27

Cipher Bypass

2019-01-15 09:10:14

slackware

[slackware-security] openssl

2016-02-04 00:06:23

openssl

Vulnerability in OpenSSL CVE-2015-3197

2016-01-28 00:00:00

Vulnerability in OpenSSL CVE-2016-0800

2016-03-01 00:00:00

osv

openssl - security update

2016-02-20 00:00:00

debian

[SECURITY] [DLA 421-1] openssl security update

2016-02-20 12:34:52

cve

CVE-2015-3197

2016-02-15 02:59:00

CVE-2016-3197

2016-01-29 11:59:00

openwrt

openssl: Security update (2 CVEs)

2016-01-28 20:32:02

openssl: Security update (2 CVEs)

2016-01-29 15:48:20

openssl: Security update (9 CVEs)

2016-03-01 16:52:09

altlinux

Security fix for the ALT Linux 8 package openssl10 version 1.0.2f-alt1

2016-01-28 00:00:00

Security fix for the ALT Linux 9 package openssl1.1 version 1.0.2f-alt1

2016-01-28 00:00:00

Security fix for the ALT Linux 7 package openssl10 version 1.0.1r-alt0.M70P.1

2016-01-28 00:00:00

freebsd

openssl -- multiple vulnerabilities

2016-01-22 00:00:00

fedora

[SECURITY] Fedora 23 Update: openssl-1.0.2f-1.fc23

2016-01-30 18:23:36

[SECURITY] Fedora 23 Update: mingw-openssl-1.0.2h-1.fc23

2016-05-21 00:02:56

[SECURITY] Fedora 24 Update: mingw-openssl-1.0.2h-1.fc24

2016-05-16 17:21:44

thn

Critical OpenSSL Flaw Allows Hackers to Decrypt HTTPS Traffic

2016-01-28 22:01:00

aix

Vulnerabilities in OpenSSL affect AIX

2016-03-02 08:43:07

cert

OpenSSL re-uses unsafe prime numbers in Diffie-Hellman protocol

2016-01-28 00:00:00

nodejsblog

OpenSSL upgrade low-severity Node.js security fixes

2016-01-27 00:00:00

February 2016 Security Release Summary

2016-02-09 00:00:00

redhat

(RHSA-2016:0305) Important: openssl security update

2016-03-01 00:00:00

(RHSA-2016:0446) Important: Red Hat JBoss Web Server 3.0.2 OpenSSL Security Update

2016-03-14 19:56:43

(RHSA-2016:0445) Important: Red Hat JBoss Web Server 2.1.0 OpenSSL security update

2016-03-14 16:34:51

mageia

Updated openssl packages fix security vulnerabilities

2016-02-09 16:05:25

cisco

Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products

2016-01-29 16:00:00

symantec

SA111 : OpenSSL Vulnerabilities 28-Jan-2016

2016-02-18 08:00:00

seebug

Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)

2016-03-02 00:00:00

archlinux

openssl: man-in-the-middle

2016-01-29 00:00:00

lib32-openssl: man-in-the-middle

2016-01-29 00:00:00

kaspersky

KLA10798 Multiple vulnerabilities at Oracle VM VirtualBox

2016-04-19 00:00:00

centos

openssl security update

2016-03-01 16:57:33

openssl security update

2016-03-01 16:09:29

openssl098e security update

2016-03-09 05:32:33

oraclelinux

openssl security update

2016-03-01 00:00:00

openssl security update

2016-03-01 00:00:00

openssl098e security update

2016-03-09 00:00:00

amazon

Important: openssl098e

2016-04-06 14:40:00

Important: openssl

2016-03-10 16:30:00

nmap

sslv2-drown NSE Script

2016-07-07 16:35:39

gentoo

OpenSSL: Multiple vulnerabilities

2016-01-29 00:00:00

suse

Security update for openssl (important)

2016-03-11 14:14:22

Security update for openssl (important)

2016-03-03 15:11:31

Security update for openssl (important)

2016-03-01 19:12:02

arista

Security Advisory 0018

2016-03-01 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.024 Low

EPSS

Percentile

89.8%

JSON

Related for UB:CVE-2015-3197