| VID |
22565 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server uses a version of OpenSSL older than 1.0.1d, 1.0.0k, or 0.9.8y. Such versions may be affected by the following vulnerabilities :
- An error exists related to AES-NI, TLS 1.1, TLS 1.2 and the handling of CBC ciphersuites that could allow denial of service attacks. (CVE-2012-2686)
- An error exists related to the handling of OCSP response verification that could allow denial of service attacks. (CVE-2013-0166)
- An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An attacker could obtain plaintext contents of encrypted traffic via timing attacks. (CVE-2013-0169)
* References:
http://www.openssl.org/news/secadv_20130205.txt
* Platforms Affected:
OpenSSL 1.0.1d, 1.0.0k, or 0.9.8y prior
Linux Any version
Unix Any version
Microsoft Windows Any version |
| Recommendation |
Upgrade to the latest version of OpenSSL (1.0.1d, 1.0.0k, 0.9.8y or later), available from the OpenSSL Web site at http://www.openssl.org/ |
| Related URL |
CVE-2012-2686,CVE-2013-0166,CVE-2013-0169 (CVE) |
| Related URL |
57755,57778 (SecurityFocus) |
| Related URL |
(ISS) |
|
