[Japanese]
|
JVNDB-2014-000048
|
OpenSSL improper handling of Change Cipher Spec message
|
OpenSSL improperly handles Change Cipher Spec message in the initial SSL/TLS handshake.
OpenSSL contains a flaw in the implementation of the Change Cipher Spec protocol that allows a MITM (man-in-the-middle) attacker to force a server and a client to use easily guessable cryptgraphic key material during the initial SSL/TLS handshake (CWE-325).
KIKUCHI Masashi of Lepidum Co. Ltd. reported this vulnerability to JPCERT/CC.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V2 Severity: Base Metrics 4.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: High
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: None
|
It is confirmed that the SSL/TLS communication between a server and a client using the following vulnerable OpenSSL versions is affected.
Server:
|
OpenSSL Project
- OpenSSL 1.0.1g and earlier
|
Client:
|
OpenSSL Project
- OpenSSL 1.0.1g and earlier
- OpenSSL 1.0.0l and earlier
- OpenSSL 0.9.8y and earlier
|
SSL/TLS communication between the server and the client can be decrypted or altered by the MITM attacker.
|
[Update the software]
Update to the latest version according to the information provided by the developer.
|
BlackBerry
- BlackBerry Knowledge Base : KB36051
FileZilla
Huawei
IBM Corporation
InterSect Alliance International Pty
Kerio Technologies
Novell, Inc.
OpenSSL Project
Puppet
Splunk
Tenable Network Security
VMware
Apple Inc.
- Apple Security Updates : HT6443
Oracle Corporation
Cisco Systems, Inc.
Trend Micro, Inc.
BUFFALO INC.
Hewlett-Packard Development Company, L.P
Fortinet
Blue Coat Systems, Inc.
- Security Advisories : SA80
McAfee
MIRACLE LINUX CORPORATION
Yamaha Corporation
Red Hat, Inc.
Yokogawa Electric Corporation
TOSHIBA TEC
NEC Corporation
- NEC Security Information : AV14-002 (in Japanese)
- NEC Security Information : NV15-011 (in Japanese)
Hitachi, Ltd
FUJITSU
|
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2014-0224
|
- JVN : JVN#61247051
- JVN : JVNVU#93868849
- National Vulnerability Database (NVD) : CVE-2014-0224
- IPA SECURITY ALERTS : Security Alert for OpenSSL improper handling of Change Cipher Spec message (JVN#61247051) (in Japanese)
- US-CERT Vulnerability Note : VU#978508
- ICS-CERT ADVISORY : ICSA-14-156-01
- ICS-CERT ADVISORY : ICSA-14-198-03
- CERT-FI : Haavoittuvuuksia OpenSSL-kirjastossa
- Related document : Here is the timeline from my (OpenSSL) perspective for the recent CCS Injection (MITM) vulnerability as well as the other flaws being fixed today
- Related document : CCS Injection Vulnerability
- Related document : How I discovered CCS Injection Vulnerability (CVE-2014-0224)
- Related document : Announcement of Aratana (in Japanese)
- IETF : Change Cipher Spec
|
- [2014/06/06]
Web page was published
[2014/06/09]
Vendor Information : Contents were added
References : Contents were added
[2014/06/10]
Vendor Information : Content was added
References : Content was added
[2014/06/11]
Vendor Information : Contents were added
[2014/06/16]
Vendor Information : Content was added
[2014/06/23]
Vendor Information : Contents were added
[2014/06/30]
Vendor Information : Contents were added
[2014/07/01]
Vendor Information : Contents were added
[2014/07/08]
Vendor Information : Content was added
[2014/07/11]
Vendor Information : Contents were added
[2014/07/16]
Vendor Information : Content was added
[2014/07/18]
Vendor Information : Contents were added
References : Content was added
[2014/08/05]
Vendor Information : Contents were added
[2014/08/08]
Vendor Information : Content was added
[2014/09/10]
Vendor Information : Content was added
[2014/09/24]
Vendor Information : Content was added
References : Content was added
[2014/10/06]
Vendor Information : Content was added
[2014/10/21]
Vendor Information : Contents were added
[2015/01/22]
Vendor Information : Contents were added
[2015/04/22]
Vendor Information : Content was added
[2015/06/26]
Vendor Information : Contents were added
[2015/10/28]
Vendor Information : Content was added
[2016/07/27]
Vendor Information : Contents were added
[2016/12/27]
Vendor Information : Contents were added
|