National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Vulnerability Change Record for CVE-2004-2761

Change History

Modified Analysis - 2/1/2017 1:53:32 PM

Action Type Old Value New Value
Changed Reference Type
https://bugzilla.redhat.com/show_bug.cgi?id=648886 No Types Assigned
https://bugzilla.redhat.com/show_bug.cgi?id=648886 Issue Tracking
Changed Evaluator Impact
There are four significant mitigating factors.

1) Most enterprise-class certificates, such as VeriSign’s Extended Validation SSL Certificates use the still secure SHA-1 hash function. 

2) Certificates already issued with MD5 signatures are not at risk.  The exploit only affects new certificate acquisitions. 

3) CAs are quickly moving to replace MD5 with SHA-1.  For example, VeriSign was planning to phase out MD5 by the end of January 2009.  The date was pushed up due to the December proof of concept.  On December 31, 2008, RapidSSL certificates shipped with SHA-1 digital signatures. 

4)The researchers did not release the under-the-hood specifics of how the exploit was executed. 

Source - http://blogs.techrepublic.com.com/security/?p=724&tag=nl.e036
There are four significant mitigating factors.

1) Most enterprise-class certificates, such as VeriSign’s Extended Validation SSL Certificates use the still secure SHA-1 hash function. 

2) Certificates already issued with MD5 signatures are not at risk.  The exploit only affects new certificate acquisitions. 

3) CAs are quickly moving to replace MD5 with SHA-1.  For example, VeriSign was planning to phase out MD5 by the end of January 2009.  The date was pushed up due to the December proof of concept.  On December 31, 2008, RapidSSL certificates shipped with SHA-1 digital signatures. 

4)The researchers did not release the under-the-hood specifics of how the exploit was executed. 

Source - http://www.techrepublic.com/blog/it-security/the-new-md5-ssl-exploit-is-not-the-end-of-civilization-as-we-know-it/?tag=nl.e036
Changed CPE Configuration
AND
     OR
          *cpe:2.3:a:ietf:md5:*:*:*:*:*:*:*:*
     OR
          cpe:2.3:a:ietf:x.509_certificate:*:*:*:*:*:*:*:*
AND
     OR
          *cpe:2.3:a:ietf:md5:-:*:*:*:*:*:*:*
     OR
          cpe:2.3:a:ietf:x.509_certificate:-:*:*:*:*:*:*:*
Changed Reference Type
http://www.kb.cert.org/vuls/id/836068 US Government Resource
http://www.kb.cert.org/vuls/id/836068 Third Party Advisory, US Government Resource
Changed Reference Type
http://www.microsoft.com/technet/security/advisory/961509.mspx No Types Assigned
http://www.microsoft.com/technet/security/advisory/961509.mspx Mitigation, Vendor Advisory, Patch