| VID |
22533 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server is running a version of OpenSSL 1.x that is earlier than 1.0.0e and is affected by the following vulnerabilities :
- An error exists in the internal certificate verification process that can allow improper acceptance of a certificate revocation list (CRL) if the list's 'nextUpdate' field contains a date in the past. Note that this internal CRL checking is not enabled by default. (CVE-2011-3207)
- An error exists in the code for the ephemeral (EC)DH ciphersuites that can allow a remote attacker to crash the process. (CVE-2011-3210)
* References:
http://openssl.org/news/secadv_20110906.txt
http://www.openssl.org/news/changelog.html
https://bugzilla.redhat.com/show_bug.cgi?id=736079
https://bugzilla.redhat.com/show_bug.cgi?id=736087
* Platforms Affected:
OpenSSL 1.0.0 before 1.0.0e |
| Recommendation |
Upgrade to the latest version of OpenSSL (1.0.0e or later) |
| Related URL |
CVE-2011-3207,CVE-2011-3210 (CVE) |
| Related URL |
49469,49471 (SecurityFocus) |
| Related URL |
(ISS) |
|
