CVE - CVE-2011-3389

CVE-ID
CVE-2011-3389	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:http://ekoparty.org/2011/juliano-rizzo.php MISC:http://eprint.iacr.org/2004/111 MISC:http://eprint.iacr.org/2006/136 MISC:http://isc.sans.edu/diary/SSL+TLS+part+3+/11635 MISC:http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html MISC:http://www.insecure.cl/Beast-SSL.rar MISC:http://vnhacker.blogspot.com/2011/09/beast.html MISC:https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02 CONFIRM:http://www.opera.com/docs/changelogs/mac/1151/ CONFIRM:http://www.opera.com/docs/changelogs/unix/1151/ CONFIRM:http://www.opera.com/docs/changelogs/windows/1151/ CONFIRM:https://bugzilla.novell.com/show_bug.cgi?id=719047 CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=737506 CONFIRM:http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ CONFIRM:http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx CONFIRM:http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue CONFIRM:http://technet.microsoft.com/security/advisory/2588513 CONFIRM:http://www.imperialviolet.org/2011/09/23/chromeandbeast.html CONFIRM:http://support.apple.com/kb/HT4999 CONFIRM:http://support.apple.com/kb/HT5001 CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html CONFIRM:http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx CONFIRM:http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html CONFIRM:http://www.ibm.com/developerworks/java/jdk/alerts/ CONFIRM:http://www.opera.com/docs/changelogs/mac/1160/ CONFIRM:http://www.opera.com/docs/changelogs/unix/1160/ CONFIRM:http://www.opera.com/docs/changelogs/windows/1160/ CONFIRM:http://www.opera.com/support/kb/view/1004/ CONFIRM:http://support.apple.com/kb/HT5130 CONFIRM:http://support.apple.com/kb/HT5281 CONFIRM:http://support.apple.com/kb/HT5501 CONFIRM:https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail CONFIRM:http://support.apple.com/kb/HT6150 CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html CONFIRM:http://downloads.asterisk.org/pub/security/AST-2016-001.html CONFIRM:http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf CONFIRM:http://curl.haxx.se/docs/adv_20120124B.html APPLE:APPLE-SA-2011-10-12-1 URL:http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html APPLE:APPLE-SA-2011-10-12-2 URL:http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html APPLE:APPLE-SA-2012-02-01-1 URL:http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html APPLE:APPLE-SA-2012-05-09-1 URL:http://lists.apple.com/archives/security-announce/2012/May/msg00001.html APPLE:APPLE-SA-2012-07-25-2 URL:http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html APPLE:APPLE-SA-2012-09-19-2 URL:http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html APPLE:APPLE-SA-2013-10-22-3 URL:http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html DEBIAN:DSA-2398 URL:http://www.debian.org/security/2012/dsa-2398 GENTOO:GLSA-201406-32 URL:http://security.gentoo.org/glsa/glsa-201406-32.xml GENTOO:GLSA-201203-02 URL:http://security.gentoo.org/glsa/glsa-201203-02.xml HP:HPSBMU02742 URL:http://marc.info/?l=bugtraq&m=132872385320240&w=2 HP:SSRT100740 URL:http://marc.info/?l=bugtraq&m=132872385320240&w=2 HP:HPSBUX02730 URL:http://marc.info/?l=bugtraq&m=132750579901589&w=2 HP:SSRT100710 URL:http://marc.info/?l=bugtraq&m=132750579901589&w=2 HP:HPSBMU02900 URL:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862 HP:HPSBMU02797 URL:http://marc.info/?l=bugtraq&m=134254957702612&w=2 HP:HPSBUX02760 URL:http://marc.info/?l=bugtraq&m=133365109612558&w=2 HP:HPSBUX02777 URL:http://marc.info/?l=bugtraq&m=133728004526190&w=2 HP:SSRT100805 URL:http://marc.info/?l=bugtraq&m=133365109612558&w=2 HP:SSRT100854 URL:http://marc.info/?l=bugtraq&m=133728004526190&w=2 HP:SSRT100867 URL:http://marc.info/?l=bugtraq&m=134254957702612&w=2 HP:HPSBMU02799 URL:http://marc.info/?l=bugtraq&m=134254866602253&w=2 MANDRIVA:MDVSA-2012:058 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2012:058 MS:MS12-006 URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006 REDHAT:RHSA-2011:1384 URL:http://www.redhat.com/support/errata/RHSA-2011-1384.html REDHAT:RHSA-2012:0006 URL:http://www.redhat.com/support/errata/RHSA-2012-0006.html REDHAT:RHSA-2013:1455 URL:http://rhn.redhat.com/errata/RHSA-2013-1455.html REDHAT:RHSA-2012:0508 URL:http://rhn.redhat.com/errata/RHSA-2012-0508.html SUSE:SUSE-SU-2012:0114 URL:http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html SUSE:SUSE-SU-2012:0122 URL:http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html SUSE:openSUSE-SU-2012:0030 URL:https://hermes.opensuse.org/messages/13154861 SUSE:openSUSE-SU-2012:0063 URL:https://hermes.opensuse.org/messages/13155432 SUSE:SUSE-SU-2012:0602 URL:http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html UBUNTU:USN-1263-1 URL:http://www.ubuntu.com/usn/USN-1263-1 CERT:TA12-010A URL:http://www.us-cert.gov/cas/techalerts/TA12-010A.html CERT-VN:VU#864643 URL:http://www.kb.cert.org/vuls/id/864643 BID:49388 URL:http://www.securityfocus.com/bid/49388 BID:49778 URL:http://www.securityfocus.com/bid/49778 OSVDB:74829 URL:http://osvdb.org/74829 OVAL:oval:org.mitre.oval:def:14752 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752 SECTRACK:1025997 URL:http://www.securitytracker.com/id?1025997 SECTRACK:1026103 URL:http://www.securitytracker.com/id?1026103 SECTRACK:1029190 URL:http://www.securitytracker.com/id/1029190 SECTRACK:1026704 URL:http://www.securitytracker.com/id?1026704 SECUNIA:45791 URL:http://secunia.com/advisories/45791 SECUNIA:49198 URL:http://secunia.com/advisories/49198 SECUNIA:48692 URL:http://secunia.com/advisories/48692 SECUNIA:48915 URL:http://secunia.com/advisories/48915 SECUNIA:48948 URL:http://secunia.com/advisories/48948 SECUNIA:55322 URL:http://secunia.com/advisories/55322 SECUNIA:55351 URL:http://secunia.com/advisories/55351 SECUNIA:55350 URL:http://secunia.com/advisories/55350 SECUNIA:48256 URL:http://secunia.com/advisories/48256 SECUNIA:47998 URL:http://secunia.com/advisories/47998
Assigning CNA
N/A
Date Entry Created
20110905	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20110905)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org