csaf_redhat - rhsa-2003

rhsa-2003_063

Vulnerability from csaf_redhat

Published

2003-03-10 15:18

Modified

2024-11-21 22:41

Summary

Red Hat Security Advisory: openssl security update

Notes

Topic

Updated OpenSSL packages are available that fix a potential timing-based attack. [Updated 12 March 2003] Added packages for Red Hat Enterprise Linux ES and Red Hat Enterprise Linux WS

Details

OpenSSL is a commercial-grade, full-featured, open source toolkit which implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength, general purpose cryptography library. In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS. An active attacker may be able to use timing observations to distinguish between two different error cases: cipher padding errors and MAC verification errors. Over multiple connections this can leak sufficient information to be able to retrieve the plaintext of a common, fixed block. In order for an attack to be sucessful an attacker must be able to act as a man-in-the-middle to intercept and modify multiple connections which all involve a common fixed plaintext block (such as a password), and have good network conditions that allow small changes in timing to be reliably observed. These updated packages contain a patch provided by the OpenSSL group that corrects this vulnerability. Because server applications are affected by these vulnerabilities, we advise users to restart all services that use OpenSSL functionality or alternatively reboot their systems after installing these updates.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated OpenSSL packages are available that fix a potential timing-based\nattack.\n\n[Updated 12 March 2003]\nAdded packages for Red Hat Enterprise Linux ES and Red Hat Enterprise\nLinux WS",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenSSL is a commercial-grade, full-featured, open source toolkit which\nimplements the Secure Sockets Layer (SSL v2/v3) and Transport Layer\nSecurity (TLS v1) protocols as well as a full-strength, general purpose\ncryptography library.\n\nIn a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin\nVuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites\nin SSL and TLS.  An active attacker may be able to use timing observations\nto distinguish between two different error cases: cipher padding errors and\nMAC verification errors.  Over multiple connections this can leak\nsufficient information to be able to retrieve the plaintext of a common,\nfixed block.\n\nIn order for an attack to be sucessful an attacker must be able to act as a\nman-in-the-middle to intercept and modify multiple connections which all\ninvolve a common fixed plaintext block (such as a password), and have good\nnetwork conditions that allow small changes in timing to be reliably observed.\n\nThese updated packages contain a patch provided by the OpenSSL group that\ncorrects this vulnerability.\n\nBecause server applications are affected by these vulnerabilities, we\nadvise users to restart all services that use OpenSSL functionality or\nalternatively reboot their systems after installing these updates.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2003:063",
        "url": "https://access.redhat.com/errata/RHSA-2003:063"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps",
        "url": "http://lasecwww.epfl.ch/pub/lasec/doc/Vau02a.ps"
      },
      {
        "category": "external",
        "summary": "84597",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=84597"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2003/rhsa-2003_063.json"
      }
    ],
    "title": "Red Hat Security Advisory: openssl security update",
    "tracking": {
      "current_release_date": "2024-11-21T22:41:41+00:00",
      "generator": {
        "date": "2024-11-21T22:41:41+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2003:063",
      "initial_release_date": "2003-03-10T15:18:00+00:00",
      "revision_history": [
        {
          "date": "2003-03-10T15:18:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2003-02-19T00:00:00+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-21T22:41:41+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                "product": {
                  "name": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_id": "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::as"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Linux Advanced Workstation 2.1",
                "product": {
                  "name": "Red Hat Linux Advanced Workstation 2.1",
                  "product_id": "Red Hat Linux Advanced Workstation 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::aw"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux ES version 2.1",
                "product": {
                  "name": "Red Hat Enterprise Linux ES version 2.1",
                  "product_id": "Red Hat Enterprise Linux ES version 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::es"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux WS version 2.1",
                "product": {
                  "name": "Red Hat Enterprise Linux WS version 2.1",
                  "product_id": "Red Hat Enterprise Linux WS version 2.1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:redhat:enterprise_linux:2.1::ws"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2003-0078",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1616956"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\"",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "security flaw",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
          "Red Hat Enterprise Linux ES version 2.1",
          "Red Hat Enterprise Linux WS version 2.1",
          "Red Hat Linux Advanced Workstation 2.1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2003-0078"
        },
        {
          "category": "external",
          "summary": "RHBZ#1616956",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1616956"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2003-0078",
          "url": "https://www.cve.org/CVERecord?id=CVE-2003-0078"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2003-0078",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2003-0078"
        }
      ],
      "release_date": "2003-02-19T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2003-03-10T15:18:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nPlease note that this update is available via Red Hat Network.  To use Red\nHat Network, launch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "Red Hat Enterprise Linux AS (Advanced Server) version 2.1 ",
            "Red Hat Enterprise Linux ES version 2.1",
            "Red Hat Enterprise Linux WS version 2.1",
            "Red Hat Linux Advanced Workstation 2.1"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2003:063"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "security flaw"
    }
  ]
}

cve-2003-0078

Vulnerability from cvelistv5

Published

2004-09-01 04:00

Modified

2024-08-08 01:43

Severity ?

Summary

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."

References

▼	URL	Tags
	ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I	vendor-advisory, x_refsource_SGI
	http://www.osvdb.org/3945	vdb-entry, x_refsource_OSVDB
	http://www.iss.net/security_center/static/11369.php	vdb-entry, x_refsource_XF
	http://www.openssl.org/news/secadv_20030219.txt	x_refsource_CONFIRM
	http://www.trustix.org/errata/2003/0005	vendor-advisory, x_refsource_TRUSTIX
	http://www.debian.org/security/2003/dsa-253	vendor-advisory, x_refsource_DEBIAN
	http://www.redhat.com/support/errata/RHSA-2003-205.html	vendor-advisory, x_refsource_REDHAT
	http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html	vendor-advisory, x_refsource_ENGARDE
	http://www.ciac.org/ciac/bulletins/n-051.shtml	third-party-advisory, government-resource, x_refsource_CIAC
	http://marc.info/?l=bugtraq&m=104567627211904&w=2	mailing-list, x_refsource_BUGTRAQ
	http://www.redhat.com/support/errata/RHSA-2003-104.html	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/6884	vdb-entry, x_refsource_BID
	ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc	vendor-advisory, x_refsource_NETBSD
	http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020	vendor-advisory, x_refsource_MANDRAKE
	http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570	vendor-advisory, x_refsource_CONECTIVA
	http://marc.info/?l=bugtraq&m=104568426824439&w=2	mailing-list, x_refsource_BUGTRAQ
	http://marc.info/?l=bugtraq&m=104577183206905&w=2	vendor-advisory, x_refsource_GENTOO
	http://www.redhat.com/support/errata/RHSA-2003-082.html	vendor-advisory, x_refsource_REDHAT
	http://www.redhat.com/support/errata/RHSA-2003-063.html	vendor-advisory, x_refsource_REDHAT
	http://www.redhat.com/support/errata/RHSA-2003-062.html	vendor-advisory, x_refsource_REDHAT

Impacted products

▼	Vendor	Product
	n/a	n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-08T01:43:35.347Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20030501-01-I",
            "tags": [
              "vendor-advisory",
              "x_refsource_SGI",
              "x_transferred"
            ],
            "url": "ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I"
          },
          {
            "name": "3945",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://www.osvdb.org/3945"
          },
          {
            "name": "ssl-cbc-information-leak(11369)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "http://www.iss.net/security_center/static/11369.php"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.openssl.org/news/secadv_20030219.txt"
          },
          {
            "name": "2003-0005",
            "tags": [
              "vendor-advisory",
              "x_refsource_TRUSTIX",
              "x_transferred"
            ],
            "url": "http://www.trustix.org/errata/2003/0005"
          },
          {
            "name": "DSA-253",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2003/dsa-253"
          },
          {
            "name": "RHSA-2003:205",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2003-205.html"
          },
          {
            "name": "ESA-20030220-005",
            "tags": [
              "vendor-advisory",
              "x_refsource_ENGARDE",
              "x_transferred"
            ],
            "url": "http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html"
          },
          {
            "name": "N-051",
            "tags": [
              "third-party-advisory",
              "government-resource",
              "x_refsource_CIAC",
              "x_transferred"
            ],
            "url": "http://www.ciac.org/ciac/bulletins/n-051.shtml"
          },
          {
            "name": "20030219 OpenSSL 0.9.7a and 0.9.6i released",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://marc.info/?l=bugtraq\u0026m=104567627211904\u0026w=2"
          },
          {
            "name": "RHSA-2003:104",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2003-104.html"
          },
          {
            "name": "6884",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/6884"
          },
          {
            "name": "NetBSD-SA2003-001",
            "tags": [
              "vendor-advisory",
              "x_refsource_NETBSD",
              "x_transferred"
            ],
            "url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc"
          },
          {
            "name": "MDKSA-2003:020",
            "tags": [
              "vendor-advisory",
              "x_refsource_MANDRAKE",
              "x_transferred"
            ],
            "url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020"
          },
          {
            "name": "CLSA-2003:570",
            "tags": [
              "vendor-advisory",
              "x_refsource_CONECTIVA",
              "x_transferred"
            ],
            "url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000570"
          },
          {
            "name": "20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl)",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://marc.info/?l=bugtraq\u0026m=104568426824439\u0026w=2"
          },
          {
            "name": "GLSA-200302-10",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://marc.info/?l=bugtraq\u0026m=104577183206905\u0026w=2"
          },
          {
            "name": "RHSA-2003:082",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2003-082.html"
          },
          {
            "name": "RHSA-2003:063",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2003-063.html"
          },
          {
            "name": "RHSA-2003:062",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2003-062.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2003-02-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\""
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2010-02-23T00:00:00",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "20030501-01-I",
          "tags": [
            "vendor-advisory",
            "x_refsource_SGI"
          ],
          "url": "ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I"
        },
        {
          "name": "3945",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://www.osvdb.org/3945"
        },
        {
          "name": "ssl-cbc-information-leak(11369)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "http://www.iss.net/security_center/static/11369.php"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.openssl.org/news/secadv_20030219.txt"
        },
        {
          "name": "2003-0005",
          "tags": [
            "vendor-advisory",
            "x_refsource_TRUSTIX"
          ],
          "url": "http://www.trustix.org/errata/2003/0005"
        },
        {
          "name": "DSA-253",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2003/dsa-253"
        },
        {
          "name": "RHSA-2003:205",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2003-205.html"
        },
        {
          "name": "ESA-20030220-005",
          "tags": [
            "vendor-advisory",
            "x_refsource_ENGARDE"
          ],
          "url": "http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html"
        },
        {
          "name": "N-051",
          "tags": [
            "third-party-advisory",
            "government-resource",
            "x_refsource_CIAC"
          ],
          "url": "http://www.ciac.org/ciac/bulletins/n-051.shtml"
        },
        {
          "name": "20030219 OpenSSL 0.9.7a and 0.9.6i released",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://marc.info/?l=bugtraq\u0026m=104567627211904\u0026w=2"
        },
        {
          "name": "RHSA-2003:104",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2003-104.html"
        },
        {
          "name": "6884",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/6884"
        },
        {
          "name": "NetBSD-SA2003-001",
          "tags": [
            "vendor-advisory",
            "x_refsource_NETBSD"
          ],
          "url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc"
        },
        {
          "name": "MDKSA-2003:020",
          "tags": [
            "vendor-advisory",
            "x_refsource_MANDRAKE"
          ],
          "url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020"
        },
        {
          "name": "CLSA-2003:570",
          "tags": [
            "vendor-advisory",
            "x_refsource_CONECTIVA"
          ],
          "url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000570"
        },
        {
          "name": "20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl)",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://marc.info/?l=bugtraq\u0026m=104568426824439\u0026w=2"
        },
        {
          "name": "GLSA-200302-10",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://marc.info/?l=bugtraq\u0026m=104577183206905\u0026w=2"
        },
        {
          "name": "RHSA-2003:082",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2003-082.html"
        },
        {
          "name": "RHSA-2003:063",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2003-063.html"
        },
        {
          "name": "RHSA-2003:062",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2003-062.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2003-0078",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the \"Vaudenay timing attack.\""
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "20030501-01-I",
              "refsource": "SGI",
              "url": "ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I"
            },
            {
              "name": "3945",
              "refsource": "OSVDB",
              "url": "http://www.osvdb.org/3945"
            },
            {
              "name": "ssl-cbc-information-leak(11369)",
              "refsource": "XF",
              "url": "http://www.iss.net/security_center/static/11369.php"
            },
            {
              "name": "http://www.openssl.org/news/secadv_20030219.txt",
              "refsource": "CONFIRM",
              "url": "http://www.openssl.org/news/secadv_20030219.txt"
            },
            {
              "name": "2003-0005",
              "refsource": "TRUSTIX",
              "url": "http://www.trustix.org/errata/2003/0005"
            },
            {
              "name": "DSA-253",
              "refsource": "DEBIAN",
              "url": "http://www.debian.org/security/2003/dsa-253"
            },
            {
              "name": "RHSA-2003:205",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2003-205.html"
            },
            {
              "name": "ESA-20030220-005",
              "refsource": "ENGARDE",
              "url": "http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html"
            },
            {
              "name": "N-051",
              "refsource": "CIAC",
              "url": "http://www.ciac.org/ciac/bulletins/n-051.shtml"
            },
            {
              "name": "20030219 OpenSSL 0.9.7a and 0.9.6i released",
              "refsource": "BUGTRAQ",
              "url": "http://marc.info/?l=bugtraq\u0026m=104567627211904\u0026w=2"
            },
            {
              "name": "RHSA-2003:104",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2003-104.html"
            },
            {
              "name": "6884",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/6884"
            },
            {
              "name": "NetBSD-SA2003-001",
              "refsource": "NETBSD",
              "url": "ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc"
            },
            {
              "name": "MDKSA-2003:020",
              "refsource": "MANDRAKE",
              "url": "http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020"
            },
            {
              "name": "CLSA-2003:570",
              "refsource": "CONECTIVA",
              "url": "http://distro.conectiva.com.br/atualizacoes/?id=a\u0026anuncio=000570"
            },
            {
              "name": "20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl)",
              "refsource": "BUGTRAQ",
              "url": "http://marc.info/?l=bugtraq\u0026m=104568426824439\u0026w=2"
            },
            {
              "name": "GLSA-200302-10",
              "refsource": "GENTOO",
              "url": "http://marc.info/?l=bugtraq\u0026m=104577183206905\u0026w=2"
            },
            {
              "name": "RHSA-2003:082",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2003-082.html"
            },
            {
              "name": "RHSA-2003:063",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2003-063.html"
            },
            {
              "name": "RHSA-2003:062",
              "refsource": "REDHAT",
              "url": "http://www.redhat.com/support/errata/RHSA-2003-062.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2003-0078",
    "datePublished": "2004-09-01T04:00:00",
    "dateReserved": "2003-02-10T00:00:00",
    "dateUpdated": "2024-08-08T01:43:35.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted