CVE-2011-3389 — MEDIUM (4.3)

Q: How severe is CVE-2011-3389?

CVE-2011-3389 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-3389?

Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera Opera Browser, Microsoft Windows.

Vulnerability Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:P/I:N/A:N

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Google	Chrome	-
Microsoft	Internet Explorer	-
Mozilla	Firefox	-
Opera	Opera Browser	-
Microsoft	Windows	-
Siemens	Simatic Rf68Xr Firmware	< 3.2.1
Siemens	Simatic Rf68Xr	-
Siemens	Simatic Rf615R Firmware	< 3.2.1
Siemens	Simatic Rf615R	-
Haxx	Curl	>= 7.10.6, <= 7.23.1
Redhat	Enterprise Linux Desktop	5.0
Redhat	Enterprise Linux Eus	6.2
Redhat	Enterprise Linux Server	5.0
Redhat	Enterprise Linux Server Aus	6.2
Redhat	Enterprise Linux Workstation	5.0
Debian	Debian Linux	5.0
Canonical	Ubuntu Linux	10.04

Related Weaknesses (CWE)

CWE-326

References

http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communiThird Party Advisory
http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-aThird Party Advisory
http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-securThird Party Advisory
http://curl.haxx.se/docs/adv_20120124B.htmlThird Party Advisory
http://downloads.asterisk.org/pub/security/AST-2016-001.htmlThird Party Advisory
http://ekoparty.org/2011/juliano-rizzo.phpBroken Link
http://eprint.iacr.org/2004/111Third Party Advisory
http://eprint.iacr.org/2006/136Third Party Advisory
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.htmlNot ApplicableVendor Advisory
http://isc.sans.edu/diary/SSL+TLS+part+3+/11635Third Party Advisory
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.htmlBroken Link
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.htmlBroken Link
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.htmlBroken LinkMailing List
http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.htmlBroken LinkMailing List
http://lists.apple.com/archives/security-announce/2012/May/msg00001.htmlBroken LinkMailing List

FAQ

What is CVE-2011-3389?

CVE-2011-3389 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode wit...

How severe is CVE-2011-3389?

CVE-2011-3389 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-3389?

Check the references section above for vendor advisories and patch information. Affected products include: Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Opera Opera Browser, Microsoft Windows.