CVE-2012-4930
Published: 15 September 2012
The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Notes
| Author | Note |
|---|---|
| jdstrand | Firefox 15 disables compression For SPDY to be used with OpenSSL in any way, NPN must be available in openssl. This was not introduced until 1.0.1. No patch for upstream OpenSSL. This may be considered a flaw in the applications using OpenSSL and not OpenSSL itself. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
chromium-browser Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
| lucid |
Released
(23.0.1271.97-0ubuntu0.10.04.1)
|
|
| natty |
Ignored
(end of life)
|
|
| oneiric |
Released
(23.0.1271.97-0ubuntu0.11.10.1)
|
|
| precise |
Released
(23.0.1271.97-0ubuntu0.12.04.1)
|
|
| quantal |
Not vulnerable
(22.0.1229.94~r161065-0ubuntu1)
|
|
| upstream |
Pending
(22)
|
|
|
firefox Launchpad, Ubuntu, Debian |
hardy |
Ignored
(end of life)
|
| lucid |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
|
|
| precise |
Not vulnerable
|
|
| quantal |
Released
(15.0+build1-0ubuntu1)
|
|
| upstream |
Released
(15.0)
|
|
|
openssl Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
|
| lucid |
Not vulnerable
|
|
| natty |
Not vulnerable
|
|
| oneiric |
Not vulnerable
(1.0.0e-2ubuntu4.6)
|
|
| precise |
Ignored
|
|
| quantal |
Ignored
|
|
| upstream |
Needs triage
|
|
|
Patches: vendor: http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-0.9.8j-env-nozlib.patch?id=1d20b5f2 |
||
References
- https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
- https://bugzilla.redhat.com/show_bug.cgi?id=857737
- http://www.theregister.co.uk/2012/09/14/crime_tls_attack/
- http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
- http://www.ekoparty.org/2012/thai-duong.php
- http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312
- http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
- http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
- https://www.cve.org/CVERecord?id=CVE-2012-4930
- NVD
- Launchpad
- Debian