Veracode Vulnerability DatabaseVERACODE:24527Insecure TLS Configuration
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
openssl uses an insecure TLS configuration. A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code. A remote attacker could possibly use this flaw to change the ciphersuite associated with a cached session stored on the server, if the server enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly forcing the client to use a weaker ciphersuite after resuming the session.
References
cvs.openssl.org/chngview?cn=20131
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777
lists.apple.com/archives/security-announce/2011//Jun/msg00000.html
lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.html
lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.html
lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html
lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html
lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html
marc.info/?l=bugtraq&m=129916880600544&w=2
marc.info/?l=bugtraq&m=130497251507577&w=2
marc.info/?l=bugtraq&m=132077688910227&w=2
openssl.org/news/secadv_20101202.txt
osvdb.org/69565
secunia.com/advisories/42469
secunia.com/advisories/42473
secunia.com/advisories/42493
secunia.com/advisories/42571
secunia.com/advisories/42620
secunia.com/advisories/42811
secunia.com/advisories/42877
secunia.com/advisories/43169
secunia.com/advisories/43170
secunia.com/advisories/43171
secunia.com/advisories/43172
secunia.com/advisories/43173
secunia.com/advisories/44269
slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471
support.apple.com/kb/HT4723
ubuntu.com/usn/usn-1029-1
www.debian.org/security/2011/dsa-2141
www.kb.cert.org/vuls/id/737740
www.mandriva.com/security/advisories?name=MDVSA-2010:248
www.redhat.com/support/errata/RHSA-2010-0977.html
www.redhat.com/support/errata/RHSA-2010-0978.html
www.redhat.com/support/errata/RHSA-2010-0979.html
www.redhat.com/support/errata/RHSA-2011-0896.html
www.securityfocus.com/archive/1/522176
www.securityfocus.com/bid/45164
www.securitytracker.com/id?1024822
www.vupen.com/english/advisories/2010/3120
www.vupen.com/english/advisories/2010/3122
www.vupen.com/english/advisories/2010/3134
www.vupen.com/english/advisories/2010/3188
www.vupen.com/english/advisories/2011/0032
www.vupen.com/english/advisories/2011/0076
www.vupen.com/english/advisories/2011/0268
access.redhat.com/errata/RHSA-2010:0978
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=659462
kb.bluecoat.com/index?page=content&id=SA53&actp=LIST
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18910
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N