| VID |
22508 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server is running a version of OpenSSL older than 0.9.8q or 1.0.0c. Such versions are potentially affected by multiple vulnerabilities :
- It may be possible to downgrade the ciphersuite to a weaker version by modifying the stored session cache ciphersuite.
- An error exists in the J-PAKE implementation that could lead to successful validation by someone with no knowledge of the shared secret.
* References:
http://www.openssl.org/news/secadv_20101202.txt
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf |
| Recommendation |
Upgrade to the latest version of OpenSSL (0.9.8q / 1.0.0c or later) |
| Related URL |
CVE-2010-4180,CVE-2010-4252 (CVE) |
| Related URL |
45163,45164 (SecurityFocus) |
| Related URL |
(ISS) |
|
