cvelistv5 - cve-2014-0626

cve-2014-0626

Vulnerability from cvelistv5

Published

2014-02-18 00:00

Modified

2024-08-06 09:20

Severity ?

Summary

References

▼	URL	Tags
	security_alert@emc.com	http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html
	af854a3a-2127-422b-91ae-364da2661108	http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-06T09:20:19.775Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "20140214 ESA-2014-009: RSA BSAFE SSL-J Multiple Vulnerabilities",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2014-02-14T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2014-02-18T00:57:01",
            orgId: "c550e75a-17ff-4988-97f0-544cde3820fe",
            shortName: "dell",
         },
         references: [
            {
               name: "20140214 ESA-2014-009: RSA BSAFE SSL-J Multiple Vulnerabilities",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "security_alert@emc.com",
               ID: "CVE-2014-0626",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "20140214 ESA-2014-009: RSA BSAFE SSL-J Multiple Vulnerabilities",
                     refsource: "BUGTRAQ",
                     url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "c550e75a-17ff-4988-97f0-544cde3820fe",
      assignerShortName: "dell",
      cveId: "CVE-2014-0626",
      datePublished: "2014-02-18T00:00:00",
      dateReserved: "2014-01-02T00:00:00",
      dateUpdated: "2024-08-06T09:20:19.775Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      fkie_nvd: {
         configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dell:bsafe_ssl-j:5.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"314CC197-7A5B-490E-BCA4-DCFFDC32A50F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:dell:bsafe_ssl-j:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"514F2922-83FA-4A51-BA74-A17175643BE6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B160FFB-EF0D-4D7B-9810-3D7728FB0B4C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"384C4C01-A2CF-4241-97D2-C379F4351DD0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AB1CF0F5-828F-405C-B8E8-D7F8AD15BEF6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:emc:rsa_bsafe_ssl-j:6.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CBF5DF8B-B891-4291-A5C2-91C2C2525F53\"}]}]}]",
         descriptions: "[{\"lang\": \"en\", \"value\": \"The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.\"}, {\"lang\": \"es\", \"value\": \"Las APIs (1) JSAFE y (2) JSSE en EMC RSA BSAFE SSL-J 5.x anterior a 5.1.3 y 6.x anterior a 6.0.2 facilitan a atacantes remotos evadir mecanismos de protecci\\u00f3n criptogr\\u00e1fica mediante el aprovechamiento del procesamiento de datos de la aplicaci\\u00f3n durante el handshake de TLS, en el momento cuando los datos no est\\u00e1n cifrados ni autenticados.\"}]",
         id: "CVE-2014-0626",
         lastModified: "2024-11-21T02:02:31.507",
         metrics: "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
         published: "2014-02-18T00:55:05.173",
         references: "[{\"url\": \"http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html\", \"source\": \"security_alert@emc.com\"}, {\"url\": \"http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
         sourceIdentifier: "security_alert@emc.com",
         vulnStatus: "Modified",
         weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-310\"}]}]",
      },
      nvd: "{\"cve\":{\"id\":\"CVE-2014-0626\",\"sourceIdentifier\":\"security_alert@emc.com\",\"published\":\"2014-02-18T00:55:05.173\",\"lastModified\":\"2024-11-21T02:02:31.507\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.\"},{\"lang\":\"es\",\"value\":\"Las APIs (1) JSAFE y (2) JSSE en EMC RSA BSAFE SSL-J 5.x anterior a 5.1.3 y 6.x anterior a 6.0.2 facilitan a atacantes remotos evadir mecanismos de protección criptográfica mediante el aprovechamiento del procesamiento de datos de la aplicación durante el handshake de TLS, en el momento cuando los datos no están cifrados ni autenticados.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-310\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dell:bsafe_ssl-j:5.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"314CC197-7A5B-490E-BCA4-DCFFDC32A50F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dell:bsafe_ssl-j:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"514F2922-83FA-4A51-BA74-A17175643BE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B160FFB-EF0D-4D7B-9810-3D7728FB0B4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"384C4C01-A2CF-4241-97D2-C379F4351DD0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AB1CF0F5-828F-405C-B8E8-D7F8AD15BEF6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:emc:rsa_bsafe_ssl-j:6.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBF5DF8B-B891-4291-A5C2-91C2C2525F53\"}]}]}],\"references\":[{\"url\":\"http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html\",\"source\":\"security_alert@emc.com\"},{\"url\":\"http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
   },
}

fkie_cve-2014-0626

Vulnerability from fkie_nvd

Published

2014-02-18 00:55

Modified

2024-11-21 02:02

Severity ?

Summary

References

▼	URL	Tags
	security_alert@emc.com	http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html
	af854a3a-2127-422b-91ae-364da2661108	http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html

Impacted products

Vendor	Product	Version
dell	bsafe_ssl-j	5.1.2
dell	bsafe_ssl-j	6.0
emc	rsa_bsafe_ssl-j	5.0
emc	rsa_bsafe_ssl-j	5.1.0
emc	rsa_bsafe_ssl-j	5.1.1
emc	rsa_bsafe_ssl-j	6.0.1

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:dell:bsafe_ssl-j:5.1.2:*:*:*:*:*:*:*",
                     matchCriteriaId: "314CC197-7A5B-490E-BCA4-DCFFDC32A50F",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:dell:bsafe_ssl-j:6.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "514F2922-83FA-4A51-BA74-A17175643BE6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "8B160FFB-EF0D-4D7B-9810-3D7728FB0B4C",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.0:*:*:*:*:*:*:*",
                     matchCriteriaId: "384C4C01-A2CF-4241-97D2-C379F4351DD0",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "AB1CF0F5-828F-405C-B8E8-D7F8AD15BEF6",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:6.0.1:*:*:*:*:*:*:*",
                     matchCriteriaId: "CBF5DF8B-B891-4291-A5C2-91C2C2525F53",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.",
      },
      {
         lang: "es",
         value: "Las APIs (1) JSAFE y (2) JSSE en EMC RSA BSAFE SSL-J 5.x anterior a 5.1.3 y 6.x anterior a 6.0.2 facilitan a atacantes remotos evadir mecanismos de protección criptográfica mediante el aprovechamiento del procesamiento de datos de la aplicación durante el handshake de TLS, en el momento cuando los datos no están cifrados ni autenticados.",
      },
   ],
   id: "CVE-2014-0626",
   lastModified: "2024-11-21T02:02:31.507",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "LOW",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 5,
               confidentialityImpact: "PARTIAL",
               integrityImpact: "NONE",
               vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
               version: "2.0",
            },
            exploitabilityScore: 10,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: false,
         },
      ],
   },
   published: "2014-02-18T00:55:05.173",
   references: [
      {
         source: "security_alert@emc.com",
         url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
      },
   ],
   sourceIdentifier: "security_alert@emc.com",
   vulnStatus: "Modified",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-310",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

gsd-2014-0626

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2014-0626

Aliases

CVE-2014-0626

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2014-0626",
      description: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.",
      id: "GSD-2014-0626",
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2014-0626",
         ],
         details: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.",
         id: "GSD-2014-0626",
         modified: "2023-12-13T01:22:44.205678Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "security_alert@emc.com",
            ID: "CVE-2014-0626",
            STATE: "PUBLIC",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "n/a",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "n/a",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "n/a",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.",
               },
            ],
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "n/a",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "20140214 ESA-2014-009: RSA BSAFE SSL-J Multiple Vulnerabilities",
                  refsource: "BUGTRAQ",
                  url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
               },
            ],
         },
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:dell:bsafe_ssl-j:6.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.1:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:dell:bsafe_ssl-j:5.1.2:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:6.0.1:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "secure@dell.com",
               ID: "CVE-2014-0626",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-310",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "20140214 ESA-2014-009: RSA BSAFE SSL-J Multiple Vulnerabilities",
                     refsource: "BUGTRAQ",
                     tags: [],
                     url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
                  },
               ],
            },
         },
         impact: {
            baseMetricV2: {
               cvssV2: {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  integrityImpact: "NONE",
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               exploitabilityScore: 10,
               impactScore: 2.9,
               obtainAllPrivilege: false,
               obtainOtherPrivilege: false,
               obtainUserPrivilege: false,
               severity: "MEDIUM",
               userInteractionRequired: false,
            },
         },
         lastModifiedDate: "2021-12-09T18:31Z",
         publishedDate: "2014-02-18T00:55Z",
      },
   },
}

The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated. RSA BSAFE SSL-J is prone to an information-disclosure vulnerability Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. Versions prior to RSA BSAFE SSL-J 5.1.3, 6.0.2 and 6.1.1 are vulnerable. EMC RSA BSAFE is a security software product of American EMC Corporation. The product supports encryption algorithms, certificate chain verification, and Transport Layer Security (TLS) cipher suites, etc., to help users achieve various security goals for their applications. A remote attacker could exploit this vulnerability to bypass established encryption protection mechanisms. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

ESA-2014-009: RSA BSAFE\xae SSL-J Multiple Vulnerabilities

EMC Identifier: ESA-2014-009

CVE Identifier: CVE-2011-1473, CVE-2014-0625, CVE-2014-0626, CVE-2014-0627

Severity Rating: CVSS v2 Base Score: See below for individual scores

Affected Products: All versions of RSA BSAFE SSL-J (SSL-J) 5.x, SSL-J 6.0

Unaffected Products: SSL-J 5.1.3, 6.0.2 and 6.1.x

Summary: SSL-J 6.1.x, 6.0.2 and 5.1.3 contain updates designed to prevent multiple potential security vulnerabilities. Addressed issues include: 1. SSL/TLS Renegotiation Denial of Service Vulnerability (CVE-2011-1473) 2. SSLEngine API Information Disclosure Vulnerability (CVE-2014-0627) 3. SSL-J JSAFE and JSSE API Information Disclosure Vulnerability (CVE-2014-0626) 4. SSLSocket Denial of Service Vulnerability (CVE-2014-0625)

Details: SSL/TLS Renegotiation Denial of Service Vulnerability (CVE-2011-1473) An application that does not properly restrict client-initiated renegotiation within the SSL and TLS protocols could be vulnerable to a denial of service (CPU consumption) from remote attackers that perform many renegotiations within a single connection. See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1473 for more information.

SSL-J 6.1.x, 6.0.2 and 5.1.3 are designed to include a patch to determine the number of renegotiations that have been initiated by each SSL/TLS client for each connection, and to help ensure that the server can set a limit on renegotiation requests.

CVSS v2 Base Score:5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

SSLEngine API Information Disclosure Vulnerability (CVE-2014-0627) When the SSL-J implementation of the SSLEngine API is used, it is possible for Application Data to be sent using the \x93wrap\x94 method, after sending the Finished message. However at this time, when the initial handshake is either an abbreviated handshake in server mode or a full handshake in client mode, the handshake is incomplete because the peer\x92s Finished message has not been received. This can occur for both the TLS client and server. The Application Data that is sent in this manner could be vulnerable to an attacker forcing the use of a weak cipher suite (if weak cipher suites are enabled). This Application Data is indistinguishable from data received after the completion of the handshake. This applies to the SSL-J JSAFE and JSSE APIs.

CVSS v2 Base Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)

SSLSocket Denial of Service Vulnerability (CVE-2014-0625) If SSLSocket (from both the JSAFE and JSSE APIs) is used, Application Data that is received while a handshake is in progress is placed in an internal buffer. This buffer can grow and use up large amounts of memory.

CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Recommendation: RSA recommends that customers on SSL-J 5.1.x or lower upgrade to SSL-J 5.1.3, 6.0.2 or 6.1.1. RSA recommends that customers on SSL-J 6.0 upgrade to SSL-J 6.0.2 or 6.1.1. The patch to address CVE-2011-1473 is only applicable on the server side.

Obtaining Downloads: To request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.emc.com/support/rsa/contact/phone-numbers.htm) for most expedient service.

Obtaining Documentation: To obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link.

Severity Rating: For an explanation of Severity Ratings, refer to the Knowledge Base Article, \x93Security Advisories Severity Rating\x94 at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

Obtaining More Information: For more information about RSA products, visit the RSA web site at http://www.rsa.com.

Getting Support and Service: For customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab.

General Customer Support Information: http://www.emc.com/support/rsa/index.htm

RSA SecurCare Online: https://knowledge.rsasecurity.com

EOPS Policy: RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. http://www.emc.com/support/rsa/eops/index.htm

SecurCare Online Security Advisories RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

About RSA SecurCare Notes & Security Advisories Subscription RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you\x92d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you\x92d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection.

Sincerely, RSA Customer Support -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlL+J8kACgkQtjd2rKp+ALx9YACdGPsy/gb0z9h5Dpz7vRtn19Gg iboAn2FBLI5QgwQNSzHY3t0Abc38c3tp =DDww -----END PGP SIGNATURE-----

Show details on source website

JSON

To clipboard

{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-201402-0433",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "rsa bsafe ssl-j",
            scope: "eq",
            trust: 1.9,
            vendor: "emc",
            version: "6.0.1",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "eq",
            trust: 1.9,
            vendor: "emc",
            version: "5.1.1",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "eq",
            trust: 1.6,
            vendor: "emc",
            version: "5.1.0",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "eq",
            trust: 1.6,
            vendor: "emc",
            version: "5.0",
         },
         {
            model: "bsafe ssl-j",
            scope: "eq",
            trust: 1,
            vendor: "dell",
            version: "6.0",
         },
         {
            model: "bsafe ssl-j",
            scope: "eq",
            trust: 1,
            vendor: "dell",
            version: "5.1.2",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "eq",
            trust: 0.9,
            vendor: "emc",
            version: "6.0",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "eq",
            trust: 0.9,
            vendor: "emc",
            version: "5.1.2",
         },
         {
            model: "ucosminexus service architect",
            scope: null,
            trust: 0.8,
            vendor: "hitachi",
            version: null,
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "eq",
            trust: 0.8,
            vendor: "dell emc old emc",
            version: "5.1.3",
         },
         {
            model: "ucosminexus primary server",
            scope: "eq",
            trust: 0.8,
            vendor: "hitachi",
            version: "base",
         },
         {
            model: "ucosminexus service platform",
            scope: null,
            trust: 0.8,
            vendor: "hitachi",
            version: null,
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "eq",
            trust: 0.8,
            vendor: "dell emc old emc",
            version: "6.0.2",
         },
         {
            model: "cosminexus developer's kit for java",
            scope: null,
            trust: 0.8,
            vendor: "hitachi",
            version: null,
         },
         {
            model: "ucosminexus client",
            scope: null,
            trust: 0.8,
            vendor: "hitachi",
            version: null,
         },
         {
            model: "ucosminexus developer",
            scope: null,
            trust: 0.8,
            vendor: "hitachi",
            version: null,
         },
         {
            model: "ucosminexus operator",
            scope: "eq",
            trust: 0.8,
            vendor: "hitachi",
            version: "for service platform",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "lt",
            trust: 0.8,
            vendor: "dell emc old emc",
            version: "5.x",
         },
         {
            model: "ucosminexus application server",
            scope: "eq",
            trust: 0.8,
            vendor: "hitachi",
            version: "none",
         },
         {
            model: "ucosminexus application server",
            scope: "eq",
            trust: 0.8,
            vendor: "hitachi",
            version: "-r",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "lt",
            trust: 0.8,
            vendor: "dell emc old emc",
            version: "6.x",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "ne",
            trust: 0.3,
            vendor: "emc",
            version: "6.1.1",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "ne",
            trust: 0.3,
            vendor: "emc",
            version: "6.0.2",
         },
         {
            model: "rsa bsafe ssl-j",
            scope: "ne",
            trust: 0.3,
            vendor: "emc",
            version: "5.1.3",
         },
      ],
      sources: [
         {
            db: "BID",
            id: "65597",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            db: "NVD",
            id: "CVE-2014-0626",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:dell:bsafe_ssl-j:6.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.0:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:5.1.1:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:dell:bsafe_ssl-j:5.1.2:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                     {
                        cpe23Uri: "cpe:2.3:a:emc:rsa_bsafe_ssl-j:6.0.1:*:*:*:*:*:*:*",
                        cpe_name: [],
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "NVD",
            id: "CVE-2014-0626",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "The vendor reported this issue.",
      sources: [
         {
            db: "BID",
            id: "65597",
         },
      ],
      trust: 0.3,
   },
   cve: "CVE-2014-0626",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  acInsufInfo: false,
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "NVD",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 10,
                  impactScore: 2.9,
                  integrityImpact: "NONE",
                  obtainAllPrivilege: false,
                  obtainOtherPrivilege: false,
                  obtainUserPrivilege: false,
                  severity: "MEDIUM",
                  trust: 1,
                  userInteractionRequired: false,
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               {
                  acInsufInfo: null,
                  accessComplexity: "Low",
                  accessVector: "Network",
                  authentication: "None",
                  author: "NVD",
                  availabilityImpact: "None",
                  baseScore: 5,
                  confidentialityImpact: "Partial",
                  exploitabilityScore: null,
                  id: "CVE-2014-0626",
                  impactScore: null,
                  integrityImpact: "None",
                  obtainAllPrivilege: null,
                  obtainOtherPrivilege: null,
                  obtainUserPrivilege: null,
                  severity: "Medium",
                  trust: 0.8,
                  userInteractionRequired: null,
                  vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N",
                  version: "2.0",
               },
               {
                  accessComplexity: "LOW",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "VULHUB",
                  availabilityImpact: "NONE",
                  baseScore: 5,
                  confidentialityImpact: "PARTIAL",
                  exploitabilityScore: 10,
                  id: "VHN-68119",
                  impactScore: 2.9,
                  integrityImpact: "NONE",
                  severity: "MEDIUM",
                  trust: 0.1,
                  vectorString: "AV:N/AC:L/AU:N/C:P/I:N/A:N",
                  version: "2.0",
               },
            ],
            cvssV3: [],
            severity: [
               {
                  author: "NVD",
                  id: "CVE-2014-0626",
                  trust: 1.8,
                  value: "MEDIUM",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-201402-228",
                  trust: 0.6,
                  value: "MEDIUM",
               },
               {
                  author: "VULHUB",
                  id: "VHN-68119",
                  trust: 0.1,
                  value: "MEDIUM",
               },
            ],
         },
      ],
      sources: [
         {
            db: "VULHUB",
            id: "VHN-68119",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            db: "NVD",
            id: "CVE-2014-0626",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated. RSA BSAFE SSL-J is prone to an information-disclosure vulnerability\nAttackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. \nVersions prior to RSA BSAFE SSL-J 5.1.3, 6.0.2 and 6.1.1 are vulnerable. EMC RSA BSAFE is a security software product of American EMC Corporation. The product supports encryption algorithms, certificate chain verification, and Transport Layer Security (TLS) cipher suites, etc., to help users achieve various security goals for their applications. A remote attacker could exploit this vulnerability to bypass established encryption protection mechanisms. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\nESA-2014-009: RSA BSAFE\\xae SSL-J Multiple Vulnerabilities\n\nEMC Identifier: ESA-2014-009\n\nCVE Identifier: CVE-2011-1473, CVE-2014-0625, CVE-2014-0626, CVE-2014-0627\n\nSeverity Rating: CVSS v2 Base Score: See below for individual scores\n \nAffected Products:\nAll versions of RSA BSAFE SSL-J (SSL-J) 5.x, SSL-J 6.0\n \nUnaffected Products:\nSSL-J 5.1.3, 6.0.2 and 6.1.x\n \nSummary: \nSSL-J 6.1.x, 6.0.2 and 5.1.3 contain updates designed to prevent multiple potential security vulnerabilities. \nAddressed issues include:\n1.     SSL/TLS Renegotiation Denial of Service Vulnerability (CVE-2011-1473)\n2.     SSLEngine API Information Disclosure Vulnerability (CVE-2014-0627)\n3.     SSL-J JSAFE and JSSE API Information Disclosure Vulnerability (CVE-2014-0626)\n4.     SSLSocket Denial of Service Vulnerability (CVE-2014-0625)\n \nDetails: \nSSL/TLS Renegotiation Denial of Service Vulnerability (CVE-2011-1473)\nAn application that does not properly restrict client-initiated renegotiation within the SSL and TLS protocols could be vulnerable to a denial of service (CPU consumption) from remote attackers that perform many renegotiations within a single connection. See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1473 for more information. \n\nSSL-J 6.1.x, 6.0.2 and 5.1.3 are designed to include a patch to determine the number of renegotiations that have been initiated by each SSL/TLS client for each connection, and to help ensure that the server can set a limit on renegotiation requests. \n\nCVSS v2 Base Score:5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n \nSSLEngine API Information Disclosure Vulnerability (CVE-2014-0627)\nWhen the SSL-J implementation of the SSLEngine API is used, it is possible for Application Data to be sent using the \\x93wrap\\x94 method, after sending the Finished message. However at this time, when the initial handshake is either an abbreviated handshake in server mode or a full handshake in client mode, the handshake is incomplete because the peer\\x92s Finished message has not been received. This can occur for both the TLS client and server. \nThe Application Data that is sent in this manner could be vulnerable to an attacker forcing the use of a weak cipher suite (if weak cipher suites are enabled). This Application Data is indistinguishable from data received after the completion of the handshake. This applies to the SSL-J JSAFE and JSSE APIs. \n\nCVSS v2 Base Score: 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N)\n \nSSLSocket Denial of Service Vulnerability (CVE-2014-0625)\nIf SSLSocket (from both the JSAFE and JSSE APIs) is used, Application Data that is received while a handshake is in progress is placed in an internal buffer. This buffer can grow and use up large amounts of memory. \n\nCVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)\n \nRecommendation:\nRSA recommends that customers on SSL-J 5.1.x or lower upgrade to SSL-J 5.1.3, 6.0.2 or 6.1.1. \nRSA recommends that customers on SSL-J 6.0 upgrade to SSL-J 6.0.2 or 6.1.1. \nThe patch to address CVE-2011-1473 is only applicable on the server side. \n \nObtaining Downloads: \nTo request your upgrade of the software, please call your local support telephone number (contact phone numbers are available at http://www.emc.com/support/rsa/contact/phone-numbers.htm) for most expedient service. \n\nObtaining Documentation:\nTo obtain RSA documentation, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com and click Products in the top navigation menu. Select the specific product whose documentation you want to obtain. Scroll to the section for the product version that you want and click the set link. \n\nSeverity Rating:\nFor an explanation of Severity Ratings, refer to the Knowledge Base Article, \\x93Security Advisories Severity Rating\\x94 at https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. \n\nObtaining More Information:\nFor more information about RSA products, visit the RSA web site at http://www.rsa.com. \n\nGetting Support and Service:\nFor customers with current maintenance contracts, contact your local RSA Customer Support center with any additional questions regarding this RSA SecurCare Note. For contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact Us - Phone tab or the Contact Us - Email tab. \n\nGeneral Customer Support Information:\nhttp://www.emc.com/support/rsa/index.htm\n\nRSA SecurCare Online:\nhttps://knowledge.rsasecurity.com\n\nEOPS Policy:\nRSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details. \nhttp://www.emc.com/support/rsa/eops/index.htm\n\nSecurCare Online Security Advisories\nRSA, The Security Division of EMC, distributes SCOL Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided \"as is\" without warranty of any kind. RSA disclaim all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. \n\nAbout RSA SecurCare Notes & Security Advisories Subscription\nRSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends you based on the RSA product family you currently use. If you\\x92d like to stop receiving RSA SecurCare Notes & Security Advisories, or if you\\x92d like to change which RSA product family Notes & Security Advisories you currently receive, log on to RSA SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the instructions on the page, remove the check mark next to the RSA product family whose Notes & Security Advisories you no longer want to receive. Click the Submit button to save your selection. \n\nSincerely,\nRSA Customer Support\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.13 (Cygwin)\n\niEYEARECAAYFAlL+J8kACgkQtjd2rKp+ALx9YACdGPsy/gb0z9h5Dpz7vRtn19Gg\niboAn2FBLI5QgwQNSzHY3t0Abc38c3tp\n=DDww\n-----END PGP SIGNATURE-----\n",
      sources: [
         {
            db: "NVD",
            id: "CVE-2014-0626",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            db: "BID",
            id: "65597",
         },
         {
            db: "VULHUB",
            id: "VHN-68119",
         },
         {
            db: "PACKETSTORM",
            id: "125239",
         },
      ],
      trust: 2.07,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2014-0626",
            trust: 2.9,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
            trust: 0.8,
         },
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
            trust: 0.7,
         },
         {
            db: "BID",
            id: "65597",
            trust: 0.4,
         },
         {
            db: "VULHUB",
            id: "VHN-68119",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "125239",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "VULHUB",
            id: "VHN-68119",
         },
         {
            db: "BID",
            id: "65597",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            db: "PACKETSTORM",
            id: "125239",
         },
         {
            db: "NVD",
            id: "CVE-2014-0626",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
   },
   id: "VAR-201402-0433",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "VULHUB",
            id: "VHN-68119",
         },
      ],
      trust: 0.01,
   },
   last_update_date: "2023-12-18T11:52:06.799000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "Top Page",
            trust: 0.8,
            url: "http://www.emc.com/index.htm",
         },
         {
            title: "HS14-010",
            trust: 0.8,
            url: "http://www.hitachi.co.jp/prod/comp/soft1/global/security/info/vuls/hs14-010/index.html",
         },
         {
            title: "HS14-010",
            trust: 0.8,
            url: "http://www.hitachi.co.jp/prod/comp/soft1/security/info/vuls/hs14-010/index.html",
         },
         {
            title: "RSA BSAFE SSL-J",
            trust: 0.8,
            url: "http://japan.emc.com/security/rsa-bsafe/rsa-bsafe-ssl-j.htm",
         },
         {
            title: "EMC RSA BSAFE JSAFE  and JSSE API Fixes for encryption problem vulnerabilities",
            trust: 0.6,
            url: "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=173774",
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-310",
            trust: 1.9,
         },
         {
            problemtype: "CWE-DesignError",
            trust: 0.8,
         },
      ],
      sources: [
         {
            db: "VULHUB",
            id: "VHN-68119",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            db: "NVD",
            id: "CVE-2014-0626",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 2.5,
            url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
         },
         {
            trust: 0.8,
            url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0626",
         },
         {
            trust: 0.8,
            url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0626",
         },
         {
            trust: 0.1,
            url: "http://www.emc.com/support/rsa/contact/phone-numbers.htm)",
         },
         {
            trust: 0.1,
            url: "https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604.",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2011-1473",
         },
         {
            trust: 0.1,
            url: "http://www.emc.com/support/rsa/eops/index.htm",
         },
         {
            trust: 0.1,
            url: "http://www.rsa.com.",
         },
         {
            trust: 0.1,
            url: "https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3.",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2014-0626",
         },
         {
            trust: 0.1,
            url: "https://knowledge.rsasecurity.com",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2014-0625",
         },
         {
            trust: 0.1,
            url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-1473",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2014-0627",
         },
         {
            trust: 0.1,
            url: "http://www.emc.com/support/rsa/index.htm",
         },
         {
            trust: 0.1,
            url: "https://knowledge.rsasecurity.com,",
         },
      ],
      sources: [
         {
            db: "VULHUB",
            id: "VHN-68119",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            db: "PACKETSTORM",
            id: "125239",
         },
         {
            db: "NVD",
            id: "CVE-2014-0626",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "VULHUB",
            id: "VHN-68119",
         },
         {
            db: "BID",
            id: "65597",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            db: "PACKETSTORM",
            id: "125239",
         },
         {
            db: "NVD",
            id: "CVE-2014-0626",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2014-02-18T00:00:00",
            db: "VULHUB",
            id: "VHN-68119",
         },
         {
            date: "2014-02-17T00:00:00",
            db: "BID",
            id: "65597",
         },
         {
            date: "2014-02-19T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            date: "2014-02-17T18:02:22",
            db: "PACKETSTORM",
            id: "125239",
         },
         {
            date: "2014-02-18T00:55:05.173000",
            db: "NVD",
            id: "CVE-2014-0626",
         },
         {
            date: "2014-02-19T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2021-12-09T00:00:00",
            db: "VULHUB",
            id: "VHN-68119",
         },
         {
            date: "2014-02-17T00:00:00",
            db: "BID",
            id: "65597",
         },
         {
            date: "2014-05-13T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
         {
            date: "2021-12-09T18:31:15.070000",
            db: "NVD",
            id: "CVE-2014-0626",
         },
         {
            date: "2021-12-10T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
      trust: 0.6,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "EMC RSA BSAFE SSL-J of  API Vulnerabilities that bypass cryptographic protection mechanisms",
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2014-001425",
         },
      ],
      trust: 0.8,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "encryption problem",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201402-228",
         },
      ],
      trust: 0.6,
   },
}

ghsa-49mf-7m55-94wm

Vulnerability from github

Published

2022-05-13 01:04

Modified

2022-05-13 01:04

Details

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2014-0626",
   ],
   database_specific: {
      cwe_ids: [],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2014-02-18T00:55:00Z",
      severity: "MODERATE",
   },
   details: "The (1) JSAFE and (2) JSSE APIs in EMC RSA BSAFE SSL-J 5.x before 5.1.3 and 6.x before 6.0.2 make it easier for remote attackers to bypass intended cryptographic protection mechanisms by triggering application-data processing during the TLS handshake, a time at which the data is both unencrypted and unauthenticated.",
   id: "GHSA-49mf-7m55-94wm",
   modified: "2022-05-13T01:04:41Z",
   published: "2022-05-13T01:04:41Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2014-0626",
      },
      {
         type: "WEB",
         url: "http://archives.neohapsis.com/archives/bugtraq/2014-02/0061.html",
      },
   ],
   schema_version: "1.4.0",
   severity: [],
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2014-0626

Vulnerability from cvelistv5

fkie_cve-2014-0626

Vulnerability from fkie_nvd

gsd-2014-0626

Vulnerability from gsd

var-201402-0433

Vulnerability from variot

ghsa-49mf-7m55-94wm

Vulnerability from github

Tags

Sightings

Nomenclature