[Japanese]
|
JVNDB-2005-000601
|
OpenSSL version rollback vulnerability
|
OpenSSL from OpenSSL Project contains a version rollback vulnerability. If a specific option is used on a server running OpenSSL, an attacker can force the client and the server to negotiate the SSL 2.0 protocol even if these parties both request TLS 1.0 protocol by crafting an attack on the communication path.
RFC 2246, defining the TLS protocol, defines that when TLS 1.0 is available, SSL 2.0 should not be used in order to avoid version rollback attacks.
|
CVSS V2 Severity: Base Metrics 2.6 (Low) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: Partial
- Availability Impact: None
|
|
OpenSSL Project
- OpenSSL 0.9.8 and earlier
Sun Microsystems, Inc.
- Sun Solaris 10 (sparc)
- Sun Solaris 10 (x86)
Turbolinux, Inc.
- Turbolinux Appliance Server 1.0 (hosting)
- Turbolinux Appliance Server 1.0 (workgroup)
- Turbolinux Appliance Server 2.0
- Turbolinux FUJI
- Turbolinux Multimedia
- Turbolinux Personal
- Turbolinux Server 10
- Turbolinux Server 10 (x64)
- Turbolinux Server 11
- Turbolinux Server 11 (x64)
- Turbolinux Server 8
- wizpy
Trend Micro, Inc.
- InterScan Messaging Security Suite for Linux 5.11
- InterScan Messaging Security Suite for Solaris 5.11
- TrendMicro InterScan VirusWall 3.81 and earlier
- TrendMicro InterScan Web Security Suite for Linux 1.02
- TrendMicro InterScan Web Security Suite for Solaris 1.1
- TrendMicro InterScan Web Security Suite for Windows 1.01
Hewlett-Packard Development Company, L.P
- HP-UX 11.00
- HP-UX 11.11
- HP-UX 11.23
MIRACLE LINUX CORPORATION
- Asianux Server 2.0 Standard Edition
- Asianux Server 2.1 Standard Edition
- Asianux Server 3.0
- Asianux Server 3.0 (x86-64)
- Asianux Server 4.0
- Asianux Server 4.0 (x86-64)
Red Hat, Inc.
- Red Hat Enterprise Linux 2.1 (as)
- Red Hat Enterprise Linux 3 (as)
- Red Hat Enterprise Linux 4 (as)
- Red Hat Enterprise Linux 2.1 (es)
- Red Hat Enterprise Linux 3 (es)
- Red Hat Enterprise Linux 4 (es)
- Red Hat Enterprise Linux 2.1 (ws)
- Red Hat Enterprise Linux 3 (ws)
- Red Hat Enterprise Linux 4 (ws)
- Red Hat Linux Advanced Workstation 2.1
Hitachi, Ltd
- Cosminexus Application Server Enterprise Version 6
- Cosminexus Application Server Standard Version 6
- Cosminexus Application Server Version 5
- Cosminexus Developer Light Version 6
- Cosminexus Developer Professional Version 6
- Cosminexus Developer Standard Version 6
- Cosminexus Developer Version 5
- Cosminexus Server - Enterprise Edition
- Cosminexus Server - Standard Edition
- Cosminexus Server - Standard Edition Version 4
- Cosminexus Server - Web Edition
- Cosminexus Server - Web Edition Version 4
- Hitachi Web Server
- Hitachi Web Server - Custom Edition
- Hitachi Web Server - Security Enhancement
- Hitachi Web Server for VOS3
- uCosminexus Application Server Enterprise
- uCosminexus Application Server Smart Edition
- uCosminexus Application Server Standard
- uCosminexus Developer Professional
- uCosminexus Developer Light
- uCosminexus Developer Standard
- uCosminexus Service Architect
- uCosminexus Service Platform
FUJITSU
|
Please refer to HS06-022 provided by Hitachi for more details.
|
When performing communication through a path controlled by an attacker using OpenSSL, the attacker conducting a man-in-the-middle (MITM) attack can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0 to intercept or alter data.
|
|
OpenSSL Project
Sun Microsystems, Inc.
- Sun Alert Notification : 101974
Century Systems Co., Ltd.
Turbolinux, Inc.
Trend Micro, Inc.
Hewlett-Packard Development Company, L.P
MIRACLE LINUX CORPORATION
Red Hat, Inc.
Hitachi, Ltd
- Hitachi Software Vulnerability Information : HS06-022
FUJITSU
- FUJITSU Security Information : 20061024 (in Japanese)
- FUJITSU Security Information : JVN#23632449 (in Japanese)
|
|
- CVE-2005-2969
|
- JVN : JVN#23632449
- National Vulnerability Database (NVD) : CVE-2005-2969
- Secunia Advisory : SA17151
- SecurityFocus : 15071
- SecuriTeam : 6Y00D0AEBW
- FrSIRT Advisories : FrSIRT/ADV-2005-2036
|
- [2008/05/21]
Web page published
[2014/05/22]
Affected Products : Products were added
Vendor Information : Content was added
|