CVE-2011-3389

Priority
Low
Description
The SSL protocol, as used in certain configurations in Microsoft Windows
and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and
other products, encrypts data by using CBC mode with chained initialization
vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP
headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session,
in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API,
(2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a
"BEAST" attack.
Ubuntu-Description
Juliano Rizzo and Thai Duong discovered that the block-wise AES
encryption algorithm block-wise as used in TLS/SSL was vulnerable
to a chosen-plaintext attack. This could allow a remote attacker to
view confidential data.
References
Notes
mdeslaur> in natty+, NetX and the plugin moved to the icedtea-web package
jdstrand> this is not a lighttpd issue, however dsa-2368 disabled CBC ciphers
by default. Ignoring as this is a configuration issue.
sbeattie> openssl contains a countermeasure since openssl 0.9.8d,
though it can be disabled with the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
option (which is included in SSL_OP_ALL). Need to search through
openssl user that enable the option.
tyhicks> All versions of gnutls in supported releases have TLS 1.1 and 1.2
support. TLS 1.1 and 1.2 are not affected by this attack. Upstream advised
applications to use 1.1 and 1.2 in GNUTLS-SA-2011-1. Additionally, DTLS 1.0
can be used or RC4 can be used with TLS 1.0 if TLS 1.1 or 1.2 are not viable
options.
jdstrand> arcticdog blog points out that users of SSL_OP_ALL should be updated
to use 'SSL_OP_ALL & ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' to not be
vulnerable to this attack
mdeslaur> removing SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS will break
compatibility with certain SSL implementations, which is why it's
included in SSL_OP_ALL in the first place. Since the BEAST attack is only
practical in web browsers where you can run arbitrary code, and current
web browsers are already fixed, modifying other software in the archive
to enable the work around will break compatibility with no added security
benefit.
Assigned-to
sbeattie
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.10 (Oneiric Ocelot):released (7~b147-2.0-0ubuntu0.11.10.1)
Ubuntu 12.04 LTS (Precise Pangolin):released (7~b147-2.0-1ubuntu1)
Ubuntu 12.10 (Quantal Quetzal):released (7~b147-2.0-1ubuntu1)
Ubuntu 13.04 (Raring Ringtail):released (7~b147-2.0-1ubuntu1)
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):released (6b27-1.12.3-0ubuntu1~08.04.1)
Ubuntu 10.04 LTS (Lucid Lynx):released (6b20-1.9.10-0ubuntu1~10.04.2)
Ubuntu 11.10 (Oneiric Ocelot):released (6b23~pre11-0ubuntu1.11.10)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (6b23~pre11-1ubuntu2)
Ubuntu 12.10 (Quantal Quetzal):not-affected (6b23~pre11-1ubuntu2)
Ubuntu 13.04 (Raring Ringtail):not-affected (6b23~pre11-1ubuntu2)
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):released (6b18-1.8.10-0ubuntu1~10.04.2)
Ubuntu 11.10 (Oneiric Ocelot):ignored (superceded by openjdk-6)
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 12.10 (Quantal Quetzal):DNE
Ubuntu 13.04 (Raring Ringtail):DNE
Package
Upstream:released (1.4.30-1)
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):ignored
Ubuntu 11.10 (Oneiric Ocelot):ignored
Ubuntu 12.04 LTS (Precise Pangolin):ignored
Ubuntu 12.10 (Quantal Quetzal):ignored
Ubuntu 13.04 (Raring Ringtail):ignored
Patches:
Vendor:http://www.debian.org/security/2011/dsa-2368
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):ignored (upstream sun-java5 is EoL)
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 12.10 (Quantal Quetzal):DNE
Ubuntu 13.04 (Raring Ringtail):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end of life)
Ubuntu 10.04 LTS (Lucid Lynx):DNE (removed from archive)
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 12.10 (Quantal Quetzal):DNE
Ubuntu 13.04 (Raring Ringtail):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):not-affected (countermeasure in place)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected (countermeasure in place)
Ubuntu 11.10 (Oneiric Ocelot):not-affected (countermeasure in place)
Ubuntu 12.04 LTS (Precise Pangolin):not-affected (countermeasure in place)
Ubuntu 12.10 (Quantal Quetzal):not-affected (countermeasure in place)
Ubuntu 13.04 (Raring Ringtail):not-affected (countermeasure in place)
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):not-affected
Ubuntu 11.10 (Oneiric Ocelot):not-affected
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Ubuntu 12.10 (Quantal Quetzal):not-affected
Ubuntu 13.04 (Raring Ringtail):not-affected
Package
Upstream:not-affected
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):not-affected
Ubuntu 11.10 (Oneiric Ocelot):not-affected
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Ubuntu 12.10 (Quantal Quetzal):not-affected
Ubuntu 13.04 (Raring Ringtail):not-affected
More Information

Valid XHTML 1.0 Strict

Updated: 2013-05-09 16:15:25 UTC (commit 6825)