|
[Japanese]
|
JVNDB-2016-006114
|
The Bank of Tokyo-Mitsubishi UFJ for Android vulnerable to SSL/TLS downgrade attack
|
|
The Bank of Tokyo-Mitsubishi UFJ for Android may be exploited by SSL/TLS downgrade attack.
The Bank of Tokyo-Mitsubishi UFJ for Android provided by The Bank of Tokyo-Mitsubishi UFJ, Ltd. tries to communicate with a server via TLS v1.2. However, when a response from the server indicates SSL v3.0, communication is conducted via SSL v3.0 (CWE-757). As a result, the application may be exploited by POODLE attack.
CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
https://cwe.mitre.org/data/definitions/757.html
Reo Yoshida reported this vulnerability to JPCERT/CC, and JPCERT/CC coordinated with The Bank of Tokyo-Mitsubishi UFJ, Ltd.
|
|
CVSS V3 Severity:
Base Metrics 3.7 (Low) [IPA Score]
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: None
- Availability Impact: None
|
|
|
Bank of Tokyo-Mitsubishi UFJ
- The Bank of Tokyo-Mitsubishi UFJ for Android ver5.3.1
- The Bank of Tokyo-Mitsubishi UFJ for Android ver5.2.2 and earlier
|
|
|
A man-in-the-middle attack allows an attacker to eavesdrop on an encrypted communication.
|
|
[Update the Software]
Update to the latest version according to the information provided by The Bank of Tokyo-Mitsubishi UFJ, Ltd.
|
|
Bank of Tokyo-Mitsubishi UFJ
|
|
- Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')(CWE-757) [IPA Evaluation]
|
|
- CVE-2016-7812
|
|
- JVN : JVNVU#92900492
- National Vulnerability Database (NVD) : CVE-2016-7812
|
|
- [2016/12/08]
Web page was published
- [2018/02/28]
References : Content was added
|
