CVE-2011-3389

2011-11-1600:00:00

ubuntu.com

0.009 Low

EPSS

Percentile

82.2%

JSON

The SSL protocol, as used in certain configurations in Microsoft Windows
and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and
other products, encrypts data by using CBC mode with chained initialization
vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP
headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session,
in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API,
(2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a
“BEAST” attack.

Notes

Author	Note
mdeslaur	in natty+, NetX and the plugin moved to the icedtea-web package
jdstrand	this is not a lighttpd issue, however dsa-2368 disabled CBC ciphers by default. Ignoring as this is a configuration issue.
sbeattie	openssl contains a countermeasure since openssl 0.9.8d, though it can be disabled with the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option (which is included in SSL_OP_ALL). Need to search through openssl user that enable the option.
tyhicks	All versions of gnutls in supported releases have TLS 1.1 and 1.2 support. TLS 1.1 and 1.2 are not affected by this attack. Upstream advised applications to use 1.1 and 1.2 in GNUTLS-SA-2011-1. Additionally, DTLS 1.0 can be used or RC4 can be used with TLS 1.0 if TLS 1.1 or 1.2 are not viable options.
jdstrand	arcticdog blog points out that users of SSL_OP_ALL should be updated to use ‘SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS’ to not be vulnerable to this attack
mdeslaur	removing SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS will break compatibility with certain SSL implementations, which is why it’s included in SSL_OP_ALL in the first place. Since the BEAST attack is only practical in web browsers where you can run arbitrary code, and current web browsers are already fixed, modifying other software in the archive to enable the work around will break compatibility with no added security benefit.

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchopenjdk-6< 6b27-1.12.3-0ubuntu1~08.04.1UNKNOWN
ubuntu10.04noarchopenjdk-6< 6b20-1.9.10-0ubuntu1~10.04.2UNKNOWN
ubuntu10.10noarchopenjdk-6< 6b20-1.9.10-0ubuntu1~10.10.2UNKNOWN
ubuntu11.04noarchopenjdk-6< 6b22-1.10.4-0ubuntu1~11.04.1UNKNOWN
ubuntu11.10noarchopenjdk-6< 6b23~pre11-0ubuntu1.11.10UNKNOWN
ubuntu10.04noarchopenjdk-6b18< 6b18-1.8.10-0ubuntu1~10.04.2UNKNOWN
ubuntu10.10noarchopenjdk-6b18< 6b18-1.8.10-0ubuntu1~10.10.2UNKNOWN
ubuntu11.04noarchopenjdk-6b18< 6b18-1.8.10-0ubuntu1~11.04.1UNKNOWN
ubuntu11.10noarchopenjdk-7< 7~b147-2.0-0ubuntu0.11.10.1UNKNOWN
ubuntu12.04noarchopenjdk-7< 7~b147-2.0-1ubuntu1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.04	noarch	openjdk-6	< 6b27-1.12.3-0ubuntu1~08.04.1	UNKNOWN
ubuntu	10.04	noarch	openjdk-6	< 6b20-1.9.10-0ubuntu1~10.04.2	UNKNOWN
ubuntu	10.10	noarch	openjdk-6	< 6b20-1.9.10-0ubuntu1~10.10.2	UNKNOWN
ubuntu	11.04	noarch	openjdk-6	< 6b22-1.10.4-0ubuntu1~11.04.1	UNKNOWN
ubuntu	11.10	noarch	openjdk-6	< 6b23~pre11-0ubuntu1.11.10	UNKNOWN
ubuntu	10.04	noarch	openjdk-6b18	< 6b18-1.8.10-0ubuntu1~10.04.2	UNKNOWN
ubuntu	10.10	noarch	openjdk-6b18	< 6b18-1.8.10-0ubuntu1~10.10.2	UNKNOWN
ubuntu	11.04	noarch	openjdk-6b18	< 6b18-1.8.10-0ubuntu1~11.04.1	UNKNOWN
ubuntu	11.10	noarch	openjdk-7	< 7~b147-2.0-0ubuntu0.11.10.1	UNKNOWN
ubuntu	12.04	noarch	openjdk-7	< 7~b147-2.0-1ubuntu1	UNKNOWN