CVE-2011-4576

high

Description

The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.

References

http://www.openssl.org/news/secadv_20120104.txt

http://www.mandriva.com/security/advisories?name=MDVSA-2012:007

http://www.mandriva.com/security/advisories?name=MDVSA-2012:006

http://www.kb.cert.org/vuls/id/737740

http://www.debian.org/security/2012/dsa-2390

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564

http://support.apple.com/kb/HT5784

http://secunia.com/advisories/57353

http://secunia.com/advisories/55069

http://secunia.com/advisories/48528

http://rhn.redhat.com/errata/RHSA-2012-1308.html

http://rhn.redhat.com/errata/RHSA-2012-1307.html

http://rhn.redhat.com/errata/RHSA-2012-1306.html

http://marc.info/?l=bugtraq&m=134039053214295&w=2

http://marc.info/?l=bugtraq&m=133951357207000&w=2

http://marc.info/?l=bugtraq&m=132750648501816&w=2

http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.html

http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html

http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc

Details

Source: Mitre, NVD

Published: 2012-01-06

Updated: 2016-08-23

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High