FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2011-3389

This CVE name corresponds to:

Entered Topic
2012-08-30 fetchmail -- chosen plaintext attack against SSL CBC initialization vectors
2011-12-13 opera -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2011-3389
Phase Assigned(20110905)

Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

References

Source Reference
MISC http://ekoparty.org/2011/juliano-rizzo.php
MISC http://eprint.iacr.org/2004/111
MISC http://eprint.iacr.org/2006/136
MISC http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
MISC http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
MISC http://www.insecure.cl/Beast-SSL.rar
MISC http://vnhacker.blogspot.com/2011/09/beast.html
CONFIRM http://www.opera.com/docs/changelogs/mac/1151/
CONFIRM http://www.opera.com/docs/changelogs/unix/1151/
CONFIRM http://www.opera.com/docs/changelogs/windows/1151/
CONFIRM https://bugzilla.novell.com/show_bug.cgi?id=719047
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=737506
CONFIRM http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
CONFIRM http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
CONFIRM http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
CONFIRM http://technet.microsoft.com/security/advisory/2588513
CONFIRM http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
CONFIRM http://support.apple.com/kb/HT4999
CONFIRM http://support.apple.com/kb/HT5001
CONFIRM http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
CONFIRM http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
CONFIRM http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
CONFIRM http://www.ibm.com/developerworks/java/jdk/alerts/
CONFIRM http://www.opera.com/docs/changelogs/mac/1160/
CONFIRM http://www.opera.com/docs/changelogs/unix/1160/
CONFIRM http://www.opera.com/docs/changelogs/windows/1160/
CONFIRM http://www.opera.com/support/kb/view/1004/
CONFIRM http://support.apple.com/kb/HT5130
CONFIRM http://support.apple.com/kb/HT5281
CONFIRM http://support.apple.com/kb/HT5501
CONFIRM https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
CONFIRM http://support.apple.com/kb/HT6150
APPLE APPLE-SA-2011-10-12-1
APPLE APPLE-SA-2011-10-12-2
APPLE APPLE-SA-2012-02-01-1
APPLE APPLE-SA-2012-05-09-1
APPLE APPLE-SA-2012-07-25-2
APPLE APPLE-SA-2012-09-19-2
APPLE APPLE-SA-2013-10-22-3
GENTOO GLSA-201406-32
HP HPSBMU02742
HP SSRT100740
HP HPSBUX02730
HP SSRT100710
HP HPSBMU02900
MS MS12-006
REDHAT RHSA-2011:1384
REDHAT RHSA-2012:0006
REDHAT RHSA-2013:1455
SUSE SUSE-SU-2012:0114
SUSE SUSE-SU-2012:0122
SUSE openSUSE-SU-2012:0030
SUSE openSUSE-SU-2012:0063
UBUNTU USN-1263-1
CERT TA12-010A
CERT-VN VU#864643
BID 49388
BID 49778
OSVDB 74829
OVAL oval:org.mitre.oval:def:14752
SECTRACK 1025997
SECTRACK 1026103
SECTRACK 1029190
SECUNIA 45791
SECUNIA 49198
SECUNIA 48692
SECUNIA 48915
SECUNIA 48948
SECUNIA 55322
SECUNIA 55351
SECUNIA 55350