5

CVE-2003-0078

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenSSLOpenSSL Version < 0.9.6i
OpenSSLOpenSSL Version0.9.6i
OpenSSLOpenSSL Version0.9.7 Update-
OpenSSLOpenSSL Version0.9.7 Updatebeta1
OpenSSLOpenSSL Version0.9.7 Updatebeta2
OpenSSLOpenSSL Version0.9.7 Updatebeta3
OpenSSLOpenSSL Version0.9.7 Updatebeta4
OpenSSLOpenSSL Version0.9.7 Updatebeta5
OpenSSLOpenSSL Version0.9.7 Updatebeta6
FreebsdFreebsd Version4.2
FreebsdFreebsd Version4.3
FreebsdFreebsd Version4.4
FreebsdFreebsd Version4.5
FreebsdFreebsd Version4.6
FreebsdFreebsd Version4.7
FreebsdFreebsd Version5.0
OpenbsdOpenbsd Version3.1
OpenbsdOpenbsd Version3.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 13.72% 0.96
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

http://www.redhat.com/support/errata/RHSA-2003-082.html
Broken Link
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc
Broken Link
ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I
Broken Link
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570
Broken Link
http://marc.info/?l=bugtraq&m=104567627211904&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=104568426824439&w=2
Third Party Advisory
http://marc.info/?l=bugtraq&m=104577183206905&w=2
Third Party Advisory
http://www.ciac.org/ciac/bulletins/n-051.shtml
Broken Link
http://www.debian.org/security/2003/dsa-253
Vendor Advisory
Broken Link
http://www.iss.net/security_center/static/11369.php
Vendor Advisory
Broken Link
http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html
Broken Link
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020
Broken Link
http://www.openssl.org/news/secadv_20030219.txt
Patch
Vendor Advisory
Broken Link
http://www.osvdb.org/3945
Broken Link
http://www.redhat.com/support/errata/RHSA-2003-062.html
Broken Link
http://www.redhat.com/support/errata/RHSA-2003-063.html
Broken Link
http://www.redhat.com/support/errata/RHSA-2003-104.html
Broken Link
http://www.redhat.com/support/errata/RHSA-2003-205.html
Broken Link
http://www.securityfocus.com/bid/6884
Third Party Advisory
Broken Link
VDB Entry
http://www.trustix.org/errata/2003/0005
Broken Link