National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2011-3389 Detail

Current Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Source:  MITRE      Last Modified:  09/06/2011      View Analysis Description

Quick Info

CVE Dictionary Entry:
CVE-2011-3389
Original release date:
09/06/2011
Last revised:
01/09/2018
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
4.3 MEDIUM
Vector:
(AV:N/AC:M/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore:
2.9
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Medium
Authentication:
Not required to exploit
Impact Type:
Allows unauthorized disclosure of information

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/ External Source CONFIRM http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx External Source CONFIRM http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx External Source CONFIRM http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
http://curl.haxx.se/docs/adv_20120124B.html External Source CONFIRM http://curl.haxx.se/docs/adv_20120124B.html
http://downloads.asterisk.org/pub/security/AST-2016-001.html External Source CONFIRM http://downloads.asterisk.org/pub/security/AST-2016-001.html
http://ekoparty.org/2011/juliano-rizzo.php External Source MISC http://ekoparty.org/2011/juliano-rizzo.php
http://eprint.iacr.org/2004/111 External Source MISC http://eprint.iacr.org/2004/111
http://eprint.iacr.org/2006/136 External Source MISC http://eprint.iacr.org/2006/136
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html External Source CONFIRM http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://isc.sans.edu/diary/SSL+TLS+part+3+/11635 External Source MISC http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html External Source APPLE APPLE-SA-2011-10-12-1
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html External Source APPLE APPLE-SA-2011-10-12-2
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html External Source APPLE APPLE-SA-2012-02-01-1
http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html External Source APPLE APPLE-SA-2012-07-25-2
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html External Source APPLE APPLE-SA-2012-05-09-1
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html External Source APPLE APPLE-SA-2012-09-19-2
http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html External Source APPLE APPLE-SA-2013-10-22-3
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html External Source SUSE SUSE-SU-2012:0114
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html External Source SUSE SUSE-SU-2012:0122
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html External Source SUSE SUSE-SU-2012:0602
http://marc.info/?l=bugtraq&m=132750579901589&w=2 External Source HP HPSBUX02730
http://marc.info/?l=bugtraq&m=132872385320240&w=2 External Source HP HPSBMU02742
http://marc.info/?l=bugtraq&m=133365109612558&w=2 External Source HP SSRT100805
http://marc.info/?l=bugtraq&m=133728004526190&w=2 External Source HP SSRT100854
http://marc.info/?l=bugtraq&m=134254866602253&w=2 External Source HP HPSBMU02799
http://marc.info/?l=bugtraq&m=134254957702612&w=2 External Source HP SSRT100867
http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue External Source CONFIRM http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
http://rhn.redhat.com/errata/RHSA-2012-0508.html External Source REDHAT RHSA-2012:0508
http://rhn.redhat.com/errata/RHSA-2013-1455.html External Source REDHAT RHSA-2013:1455
http://secunia.com/advisories/47998 External Source SECUNIA 47998
http://secunia.com/advisories/48256 External Source SECUNIA 48256
http://security.gentoo.org/glsa/glsa-201203-02.xml External Source GENTOO GLSA-201203-02
http://security.gentoo.org/glsa/glsa-201406-32.xml External Source GENTOO GLSA-201406-32
http://support.apple.com/kb/HT4999 External Source CONFIRM http://support.apple.com/kb/HT4999
http://support.apple.com/kb/HT5001 External Source CONFIRM http://support.apple.com/kb/HT5001
http://support.apple.com/kb/HT5130 External Source CONFIRM http://support.apple.com/kb/HT5130
http://support.apple.com/kb/HT5281 External Source CONFIRM http://support.apple.com/kb/HT5281
http://support.apple.com/kb/HT5501 External Source CONFIRM http://support.apple.com/kb/HT5501
http://support.apple.com/kb/HT6150 External Source CONFIRM http://support.apple.com/kb/HT6150
http://technet.microsoft.com/security/advisory/2588513 External Source CONFIRM http://technet.microsoft.com/security/advisory/2588513
http://technet.microsoft.com/security/bulletin/MS12-006 Vendor Advisory External Source MS MS12-006
http://vnhacker.blogspot.com/2011/09/beast.html External Source MISC http://vnhacker.blogspot.com/2011/09/beast.html
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf External Source CONFIRM http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
http://www.debian.org/security/2012/dsa-2398 External Source DEBIAN DSA-2398
http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html External Source MISC http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
http://www.ibm.com/developerworks/java/jdk/alerts/ External Source CONFIRM http://www.ibm.com/developerworks/java/jdk/alerts/
http://www.imperialviolet.org/2011/09/23/chromeandbeast.html External Source CONFIRM http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
http://www.insecure.cl/Beast-SSL.rar Patch External Source MISC http://www.insecure.cl/Beast-SSL.rar
http://www.kb.cert.org/vuls/id/864643 US Government Resource External Source CERT-VN VU#864643
http://www.mandriva.com/security/advisories?name=MDVSA-2012:058 External Source MANDRIVA MDVSA-2012:058
http://www.opera.com/docs/changelogs/mac/1151/ External Source CONFIRM http://www.opera.com/docs/changelogs/mac/1151/
http://www.opera.com/docs/changelogs/mac/1160/ External Source CONFIRM http://www.opera.com/docs/changelogs/mac/1160/
http://www.opera.com/docs/changelogs/unix/1151/ External Source CONFIRM http://www.opera.com/docs/changelogs/unix/1151/
http://www.opera.com/docs/changelogs/unix/1160/ External Source CONFIRM http://www.opera.com/docs/changelogs/unix/1160/
http://www.opera.com/docs/changelogs/windows/1151/ External Source CONFIRM http://www.opera.com/docs/changelogs/windows/1151/
http://www.opera.com/docs/changelogs/windows/1160/ External Source CONFIRM http://www.opera.com/docs/changelogs/windows/1160/
http://www.opera.com/support/kb/view/1004/ Vendor Advisory External Source CONFIRM http://www.opera.com/support/kb/view/1004/
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html External Source CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html External Source CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html External Source CONFIRM http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
http://www.redhat.com/support/errata/RHSA-2011-1384.html Vendor Advisory External Source REDHAT RHSA-2011:1384
http://www.redhat.com/support/errata/RHSA-2012-0006.html External Source REDHAT RHSA-2012:0006
http://www.securityfocus.com/bid/49388 External Source BID 49388
http://www.securityfocus.com/bid/49778 External Source BID 49778
http://www.securitytracker.com/id/1029190 External Source SECTRACK 1029190
http://www.securitytracker.com/id?1025997 External Source SECTRACK 1025997
http://www.securitytracker.com/id?1026103 External Source SECTRACK 1026103
http://www.securitytracker.com/id?1026704 External Source SECTRACK 1026704
http://www.ubuntu.com/usn/USN-1263-1 External Source UBUNTU USN-1263-1
http://www.us-cert.gov/cas/techalerts/TA12-010A.html US Government Resource External Source CERT TA12-010A
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail External Source CONFIRM https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
https://bugzilla.novell.com/show_bug.cgi?id=719047 External Source CONFIRM https://bugzilla.novell.com/show_bug.cgi?id=719047
https://bugzilla.redhat.com/show_bug.cgi?id=737506 External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=737506
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862 External Source HP HPSBMU02900
https://hermes.opensuse.org/messages/13154861 External Source SUSE openSUSE-SU-2012:0030
https://hermes.opensuse.org/messages/13155432 External Source SUSE openSUSE-SU-2012:0063
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752 External Source OVAL oval:org.mitre.oval:def:14752

References to Check Content

Identifier:
oval:org.mitre.oval:def:14752
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:14752

Technical Details

Vulnerability Type (View All)

Change History 15 change records found - show changes