Executive Summary

Summary
Titleopenssl security update
Informations
NameRHSA-2010:0979First vendor Publication2010-12-13
VendorRedHatLast vendor Modification2010-12-13
Severity (Vendor) ModerateRevision01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score4.3Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated openssl packages that fix one security issue are now available for
Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols, as well as a
full-strength, general purpose cryptography library.

A ciphersuite downgrade flaw was found in the OpenSSL SSL/TLS server code.
A remote attacker could possibly use this flaw to change the ciphersuite
associated with a cached session stored on the server, if the server
enabled the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option, possibly
forcing the client to use a weaker ciphersuite after resuming the session.
(CVE-2010-4180)

Note: With this update, setting the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
option has no effect and this bug workaround can no longer be enabled.

All OpenSSL users should upgrade to these updated packages, which contain a
backported patch to resolve this issue. For the update to take effect, all
services linked to the OpenSSL library must be restarted, or the system
rebooted.

4. Solution:

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

659462 - CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2010-0979.html

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22097
 
Oval ID: oval:org.mitre.oval:def:22097
Title: RHSA-2010:0979: openssl security update (Moderate)
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: unix Class: patch
Reference(s): RHSA-2010:0979-01
CVE-2010-4180
Version: 4
Platform(s): Red Hat Enterprise Linux 6
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22038
 
Oval ID: oval:org.mitre.oval:def:22038
Title: RHSA-2010:0978: openssl security update (Moderate)
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: unix Class: patch
Reference(s): RHSA-2010:0978-01
CESA-2010:0978
CVE-2008-7270
CVE-2010-4180
Version: 29
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20828
 
Oval ID: oval:org.mitre.oval:def:20828
Title: Multiple OpenSSL vulnerabilities
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4180
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20705
 
Oval ID: oval:org.mitre.oval:def:20705
Title: VMware vSphere and vCOps updates to third party libraries
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4180
Version: 4
Platform(s): VMWare ESX Server 4.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19752
 
Oval ID: oval:org.mitre.oval:def:19752
Title: VMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4180
Version: 4
Platform(s): VMWare ESX Server 4.1
VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19547
 
Oval ID: oval:org.mitre.oval:def:19547
Title: HP-UX Running OpenSSL, Remote Execution of Arbitrary Code, Denial of Service (DoS), Authentication Bypass
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: unix Class: vulnerability
Reference(s): CVE-2010-4180
Version: 7
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:18910
 
Oval ID: oval:org.mitre.oval:def:18910
Title: OpenSSL vulnerability before 0.9.8q, and 1.0.x before 1.0.0c in VisualSVN Server (CVE-2010-4180)
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: windows Class: vulnerability
Reference(s): CVE-2010-4180
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Product(s): VisualSVN Server
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22780
 
Oval ID: oval:org.mitre.oval:def:22780
Title: ELSA-2010:0979: openssl security update (Moderate)
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: unix Class: patch
Reference(s): ELSA-2010:0979-01
CVE-2010-4180
Version: 3
Platform(s): Oracle Linux 6
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22306
 
Oval ID: oval:org.mitre.oval:def:22306
Title: ELSA-2010:0978: openssl security update (Moderate)
Description: OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Family: unix Class: patch
Reference(s): ELSA-2010:0978-01
CVE-2008-7270
CVE-2010-4180
Version: 10
Platform(s): Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application76

OpenVAS Exploits

DateDescription
2012-08-31Name : VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries.
File : nvt/gb_VMSA-2012-0013.nasl
2012-07-30Name : CentOS Update for openssl CESA-2010:0977 centos4 x86_64
File : nvt/gb_CESA-2010_0977_openssl_centos4_x86_64.nasl
2012-03-15Name : VMSA-2011-0013.2 VMware third party component updates for VMware vCenter Serv...
File : nvt/gb_VMSA-2011-0013.nasl
2012-02-12Name : Gentoo Security Advisory GLSA 201110-01 (openssl)
File : nvt/glsa_201110_01.nasl
2011-09-12Name : Fedora Update for openssl FEDORA-2011-12281
File : nvt/gb_fedora_2011_12281_openssl_fc14.nasl
2011-08-19Name : Mac OS X v10.6.8 Multiple Vulnerabilities (2011-004)
File : nvt/secpod_macosx_su11-004.nasl
2011-08-09Name : CentOS Update for openssl CESA-2010:0978 centos5 i386
File : nvt/gb_CESA-2010_0978_openssl_centos5_i386.nasl
2011-05-05Name : HP-UX Update for OpenSSL HPSBUX02638
File : nvt/gb_hp_ux_HPSBUX02638.nasl
2011-03-24Name : Fedora Update for openssl FEDORA-2011-1255
File : nvt/gb_fedora_2011_1255_openssl_fc13.nasl
2011-02-16Name : Fedora Update for openssl FEDORA-2011-1273
File : nvt/gb_fedora_2011_1273_openssl_fc14.nasl
2011-01-31Name : CentOS Update for openssl CESA-2010:0977 centos4 i386
File : nvt/gb_CESA-2010_0977_openssl_centos4_i386.nasl
2010-12-28Name : Fedora Update for openssl FEDORA-2010-18736
File : nvt/gb_fedora_2010_18736_openssl_fc13.nasl
2010-12-28Name : Fedora Update for openssl FEDORA-2010-18765
File : nvt/gb_fedora_2010_18765_openssl_fc14.nasl
2010-12-28Name : RedHat Update for openssl RHSA-2010:0977-01
File : nvt/gb_RHSA-2010_0977-01_openssl.nasl
2010-12-28Name : RedHat Update for openssl RHSA-2010:0978-01
File : nvt/gb_RHSA-2010_0978-01_openssl.nasl
2010-12-23Name : Ubuntu Update for openssl vulnerabilities USN-1029-1
File : nvt/gb_ubuntu_USN_1029_1.nasl
2010-12-23Name : Mandriva Update for openssl MDVSA-2010:248 (openssl)
File : nvt/gb_mandriva_MDVSA_2010_248.nasl
0000-00-00Name : Slackware Advisory SSA:2010-340-01 openssl
File : nvt/esoft_slk_ssa_2010_340_01.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
69565OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Do...

Information Assurance Vulnerability Management (IAVM)

DateDescription
2012-09-27IAVM : 2012-A-0153 - Multiple Vulnerabilities in VMware ESX 4.0 and ESXi 4.0
Severity : Category I - VMSKEY : V0033884
2012-09-13IAVM : 2012-A-0148 - Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1
Severity : Category I - VMSKEY : V0033794
2012-04-05IAVM : 2012-B-0038 - Multiple Vulnerabilities in HP Onboard Administrator
Severity : Category I - VMSKEY : V0031972
2011-12-01IAVM : 2011-A-0160 - Multiple Vulnerabilities in VMware vCenter Server 4.0 and vCenter Update Mana...
Severity : Category I - VMSKEY : V0030769

Nessus® Vulnerability Scanner

DateDescription
2014-04-16Name : The remote AIX host is running a vulnerable version of OpenSSL.
File : aix_openssl_advisory2.nasl - Type : ACT_GATHER_INFO
2013-11-13Name : The remote VMware ESXi 5.0 host is affected by multiple security vulnerabilit...
File : vmware_esxi_5_0_build_912577_remote.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0977.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0978.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0979.nasl - Type : ACT_GATHER_INFO
2013-07-10Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libcurl4-8618.nasl - Type : ACT_GATHER_INFO
2012-08-31Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2012-0013.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20101213_openssl_on_SL4_x.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20101213_openssl_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2011-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-7462.nasl - Type : ACT_GATHER_INFO
2011-12-13Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_compat-openssl097g-7645.nasl - Type : ACT_GATHER_INFO
2011-10-28Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2011-0013.nasl - Type : ACT_GATHER_INFO
2011-10-10Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201110-01.nasl - Type : ACT_GATHER_INFO
2011-07-28Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_compat-openssl097g-110721.nasl - Type : ACT_GATHER_INFO
2011-07-28Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_compat-openssl097g-7644.nasl - Type : ACT_GATHER_INFO
2011-06-24Name : The remote host is missing a Mac OS X update that fixes several security issues.
File : macosx_10_6_8.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote SuSE system is missing a security patch for libopenssl-devel
File : suse_11_2_libopenssl-devel-101207.nasl - Type : ACT_GATHER_INFO
2011-05-05Name : The remote SuSE system is missing a security patch for libopenssl-devel
File : suse_11_1_libopenssl-devel-101207.nasl - Type : ACT_GATHER_INFO
2011-05-04Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-7463.nasl - Type : ACT_GATHER_INFO
2011-05-04Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12701.nasl - Type : ACT_GATHER_INFO
2011-02-07Name : The remote host allows resuming SSL sessions with a weaker cipher than the on...
File : openssl_resume_different_cipher.nasl - Type : ACT_ATTACK
2011-01-28Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0977.nasl - Type : ACT_GATHER_INFO
2011-01-21Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libopenssl-devel-101207.nasl - Type : ACT_GATHER_INFO
2011-01-10Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2141.nasl - Type : ACT_GATHER_INFO
2010-12-20Name : The remote Fedora host is missing a security update.
File : fedora_2010-18736.nasl - Type : ACT_GATHER_INFO
2010-12-14Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0977.nasl - Type : ACT_GATHER_INFO
2010-12-14Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0978.nasl - Type : ACT_GATHER_INFO
2010-12-14Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0979.nasl - Type : ACT_GATHER_INFO
2010-12-14Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0978.nasl - Type : ACT_GATHER_INFO
2010-12-12Name : The remote Fedora host is missing a security update.
File : fedora_2010-18765.nasl - Type : ACT_GATHER_INFO
2010-12-08Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-248.nasl - Type : ACT_GATHER_INFO
2010-12-08Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1029-1.nasl - Type : ACT_GATHER_INFO
2010-12-08Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2010-340-01.nasl - Type : ACT_GATHER_INFO
2010-12-07Name : The remote web server is affected by multiple vulnerabilities.
File : openssl_1_0_0c.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:54:11
  • Multiple Updates