CVE - CVE-2011-3389

CVE-ID
CVE-2011-3389	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
APPLE:APPLE-SA-2011-10-12-1 URL:http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html APPLE:APPLE-SA-2011-10-12-2 URL:http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html APPLE:APPLE-SA-2012-02-01-1 URL:http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html APPLE:APPLE-SA-2012-05-09-1 URL:http://lists.apple.com/archives/security-announce/2012/May/msg00001.html APPLE:APPLE-SA-2012-07-25-2 URL:http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html APPLE:APPLE-SA-2012-09-19-2 URL:http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html APPLE:APPLE-SA-2013-10-22-3 URL:http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html BID:49388 URL:http://www.securityfocus.com/bid/49388 BID:49778 URL:http://www.securityfocus.com/bid/49778 CERT:TA12-010A URL:http://www.us-cert.gov/cas/techalerts/TA12-010A.html CERT-VN:VU#864643 URL:http://www.kb.cert.org/vuls/id/864643 CONFIRM:http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ CONFIRM:http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx CONFIRM:http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx CONFIRM:http://curl.haxx.se/docs/adv_20120124B.html CONFIRM:http://downloads.asterisk.org/pub/security/AST-2016-001.html CONFIRM:http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html CONFIRM:http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue CONFIRM:http://support.apple.com/kb/HT4999 CONFIRM:http://support.apple.com/kb/HT5001 CONFIRM:http://support.apple.com/kb/HT5130 CONFIRM:http://support.apple.com/kb/HT5281 CONFIRM:http://support.apple.com/kb/HT5501 CONFIRM:http://support.apple.com/kb/HT6150 CONFIRM:http://technet.microsoft.com/security/advisory/2588513 CONFIRM:http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf CONFIRM:http://www.ibm.com/developerworks/java/jdk/alerts/ CONFIRM:http://www.imperialviolet.org/2011/09/23/chromeandbeast.html CONFIRM:http://www.opera.com/docs/changelogs/mac/1151/ CONFIRM:http://www.opera.com/docs/changelogs/mac/1160/ CONFIRM:http://www.opera.com/docs/changelogs/unix/1151/ CONFIRM:http://www.opera.com/docs/changelogs/unix/1160/ CONFIRM:http://www.opera.com/docs/changelogs/windows/1151/ CONFIRM:http://www.opera.com/docs/changelogs/windows/1160/ CONFIRM:http://www.opera.com/support/kb/view/1004/ CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html CONFIRM:http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html CONFIRM:https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail CONFIRM:https://bugzilla.novell.com/show_bug.cgi?id=719047 CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=737506 CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf DEBIAN:DSA-2398 URL:http://www.debian.org/security/2012/dsa-2398 GENTOO:GLSA-201203-02 URL:http://security.gentoo.org/glsa/glsa-201203-02.xml GENTOO:GLSA-201406-32 URL:http://security.gentoo.org/glsa/glsa-201406-32.xml HP:HPSBMU02742 URL:http://marc.info/?l=bugtraq&m=132872385320240&w=2 HP:HPSBMU02797 URL:http://marc.info/?l=bugtraq&m=134254957702612&w=2 HP:HPSBMU02799 URL:http://marc.info/?l=bugtraq&m=134254866602253&w=2 HP:HPSBMU02900 URL:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862 HP:HPSBUX02730 URL:http://marc.info/?l=bugtraq&m=132750579901589&w=2 HP:HPSBUX02760 URL:http://marc.info/?l=bugtraq&m=133365109612558&w=2 HP:HPSBUX02777 URL:http://marc.info/?l=bugtraq&m=133728004526190&w=2 HP:SSRT100710 URL:http://marc.info/?l=bugtraq&m=132750579901589&w=2 HP:SSRT100740 URL:http://marc.info/?l=bugtraq&m=132872385320240&w=2 HP:SSRT100805 URL:http://marc.info/?l=bugtraq&m=133365109612558&w=2 HP:SSRT100854 URL:http://marc.info/?l=bugtraq&m=133728004526190&w=2 HP:SSRT100867 URL:http://marc.info/?l=bugtraq&m=134254957702612&w=2 MANDRIVA:MDVSA-2012:058 URL:~~http://www.mandriva.com/security/advisories?name=MDVSA-2012:058~~ (Obsolete source) MISC:http://ekoparty.org/2011/juliano-rizzo.php MISC:http://eprint.iacr.org/2004/111 MISC:http://eprint.iacr.org/2006/136 MISC:http://isc.sans.edu/diary/SSL+TLS+part+3+/11635 MISC:http://vnhacker.blogspot.com/2011/09/beast.html MISC:http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html MISC:http://www.insecure.cl/Beast-SSL.rar MISC:https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02 MS:MS12-006 URL:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006 OSVDB:74829 URL:~~http://osvdb.org/74829~~ (Obsolete source) OVAL:oval:org.mitre.oval:def:14752 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752 REDHAT:RHSA-2011:1384 URL:http://www.redhat.com/support/errata/RHSA-2011-1384.html REDHAT:RHSA-2012:0006 URL:http://www.redhat.com/support/errata/RHSA-2012-0006.html REDHAT:RHSA-2012:0508 URL:http://rhn.redhat.com/errata/RHSA-2012-0508.html REDHAT:RHSA-2013:1455 URL:http://rhn.redhat.com/errata/RHSA-2013-1455.html SECTRACK:1025997 URL:http://www.securitytracker.com/id?1025997 SECTRACK:1026103 URL:http://www.securitytracker.com/id?1026103 SECTRACK:1026704 URL:http://www.securitytracker.com/id?1026704 SECTRACK:1029190 URL:http://www.securitytracker.com/id/1029190 SECUNIA:45791 URL:http://secunia.com/advisories/45791 SECUNIA:47998 URL:http://secunia.com/advisories/47998 SECUNIA:48256 URL:http://secunia.com/advisories/48256 SECUNIA:48692 URL:http://secunia.com/advisories/48692 SECUNIA:48915 URL:http://secunia.com/advisories/48915 SECUNIA:48948 URL:http://secunia.com/advisories/48948 SECUNIA:49198 URL:http://secunia.com/advisories/49198 SECUNIA:55322 URL:http://secunia.com/advisories/55322 SECUNIA:55350 URL:http://secunia.com/advisories/55350 SECUNIA:55351 URL:http://secunia.com/advisories/55351 SUSE:SUSE-SU-2012:0114 URL:http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html SUSE:SUSE-SU-2012:0122 URL:http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html SUSE:SUSE-SU-2012:0602 URL:http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html SUSE:openSUSE-SU-2012:0030 URL:https://hermes.opensuse.org/messages/13154861 SUSE:openSUSE-SU-2012:0063 URL:https://hermes.opensuse.org/messages/13155432 SUSE:openSUSE-SU-2020:0086 URL:http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html UBUNTU:USN-1263-1 URL:http://www.ubuntu.com/usn/USN-1263-1
Assigning CNA
MITRE Corporation
Date Record Created
20110905	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20110905)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)