CVE-2015-3197 — MEDIUM (5.9)

Vulnerability Description

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

CVSS Score

5.9

MEDIUM

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Oracle	Tuxedo	12.1.1.0
Oracle	Exalogic Infrastructure	1.0
Oracle	Peoplesoft Enterprise Peopletools	8.53
Openssl	Openssl	1.0.1
Oracle	Oss Support Tools	8.11.16.3.8
Oracle	Vm Virtualbox	5.0.16

Related Weaknesses (CWE)

CWE-310 CWE-200

References

FAQ

What is CVE-2015-3197?

CVE-2015-3197 is a vulnerability with a CVSS score of 5.9 (MEDIUM). ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection ...

How severe is CVE-2015-3197?

CVE-2015-3197 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2015-3197?

Check the references section above for vendor advisories and patch information. Affected products include: Oracle Tuxedo, Oracle Exalogic Infrastructure, Oracle Peoplesoft Enterprise Peopletools, Openssl Openssl, Oracle Oss Support Tools.