CVE-2011-3389: Weak Encryption
First published: Tue Sep 06 2011(Updated: )
Juliano Rizzo announced: [1] <a href="http://www.ekoparty.org/2011/juliano-rizzo.php">http://www.ekoparty.org/2011/juliano-rizzo.php</a> that at ekoparty Security Conference, from 2011-09-21 to 2011-09-23 they will present a new fast block-wise chosen-plaintext attack against SSL/TLS. One application of the attack should allow the adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. The Red Hat Security Response Team is watching progress on this one and once further details are available, we will immediately react to ensure timely manner updates for affected packages.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/java | <1.6.0-sun-1:1.6.0.29-1jpp.1.el4 | 1.6.0-sun-1:1.6.0.29-1jpp.1.el4 |
| redhat/java | <1.4.2-ibm-0:1.4.2.13.11-1jpp.1.el4 | 1.4.2-ibm-0:1.4.2.13.11-1jpp.1.el4 |
| redhat/java | <1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el4 | 1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el4 |
| redhat/java | <1.6.0-openjdk-1:1.6.0.0-1.23.1.9.10.el5_7 | 1.6.0-openjdk-1:1.6.0.0-1.23.1.9.10.el5_7 |
| redhat/java | <1.6.0-openjdk-1:1.6.0.0-1.40.1.9.10.el6_1 | 1.6.0-openjdk-1:1.6.0.0-1.40.1.9.10.el6_1 |
| redhat/java | <1.6.0-sun-1:1.6.0.29-1jpp.1.el6 | 1.6.0-sun-1:1.6.0.29-1jpp.1.el6 |
| redhat/java | <1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el6 | 1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el6 |
| redhat/java | <1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el5_9 | 1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el5_9 |
| redhat/java | <1.4.2-ibm-sap-0:1.4.2.13.11.sap-1jpp.1.el4 | 1.4.2-ibm-sap-0:1.4.2.13.11.sap-1jpp.1.el4 |
| redhat/java | <1.4.2-ibm-sap-0:1.4.2.13.11.sap-1jpp.1.el5 | 1.4.2-ibm-sap-0:1.4.2.13.11.sap-1jpp.1.el5 |
| redhat/java | <1.6.0-sun-1:1.6.0.29-1jpp.1.el5 | 1.6.0-sun-1:1.6.0.29-1jpp.1.el5 |
| redhat/java | <1.4.2-ibm-0:1.4.2.13.11-1jpp.1.el5 | 1.4.2-ibm-0:1.4.2.13.11-1jpp.1.el5 |
| redhat/java | <1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el5 | 1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el5 |
| redhat/java | <1.5.0-ibm-1:1.5.0.13.1-1jpp.1.el5 | 1.5.0-ibm-1:1.5.0.13.1-1jpp.1.el5 |
| redhat/java | <1.5.0-ibm-1:1.5.0.13.1-1jpp.2.el6_2 | 1.5.0-ibm-1:1.5.0.13.1-1jpp.2.el6_2 |
| debian/asterisk | 1:16.28.0~dfsg-0+deb11u4 1:20.8.1~dfsg+~cs6.14.40431414-1 | |
| debian/bouncycastle | 1.68-2 1.72-2 1.77-1 | |
| debian/curl | 7.74.0-1.3+deb11u12 7.74.0-1.3+deb11u11 7.88.1-10+deb12u6 7.88.1-10+deb12u5 8.8.0-4 8.9.1-1 | |
| debian/erlang | 1:23.2.6+dfsg-1+deb11u1 1:25.2.3+dfsg-1 1:25.3.2.12+dfsg-1 | |
| debian/gnutls28 | <=3.7.1-5+deb11u5<=3.7.1-5+deb11u3<=3.7.9-2+deb12u3<=3.8.6-2 | |
| debian/haskell-tls | <=1.5.4-1<=1.5.8-1<=1.6.0-1 | |
| debian/lighttpd | 1.4.59-1+deb11u2 1.4.69-1 1.4.76-1 | |
| debian/nss | 2:3.61-1+deb11u3 2:3.87.1-1 2:3.102-1 2:3.103-1 | |
| debian/pound | 3.0-2 4.12-1 | |
| debian/python2.7 | 2.7.18-8+deb11u1 | |
| Opera | ||
| Internet Explorer | ||
| Microsoft Windows | ||
| Google Chrome | ||
| Mozilla Firefox | ||
| haxx curl | >=7.10.6<=7.23.1 | |
| redhat enterprise Linux server | =5.0 | |
| redhat enterprise Linux server aus | =6.2 | |
| redhat enterprise Linux workstation | =5.0 | |
| redhat enterprise Linux desktop | =6.0 | |
| redhat enterprise Linux server | =6.0 | |
| redhat enterprise Linux workstation | =6.0 | |
| redhat enterprise Linux desktop | =5.0 | |
| redhat enterprise Linux eus | =6.2 | |
| Debian Debian Linux | =5.0 | |
| Debian Debian Linux | =6.0 | |
| Ubuntu Linux | =10.10 | |
| Ubuntu Linux | =11.04 | |
| Ubuntu Linux | =11.10 | |
| Ubuntu Linux | =10.04 | |
| Siemens Simatic RF68XR Firmware | <3.2.1 | |
| Siemens Simatic RF68XR Firmware | ||
| Siemens Simatic RF615R Firmware | <3.2.1 | |
| Siemens Simatic RF615R Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.opera.com/docs/changelogs/unix/1151/
- http://www.securityfocus.com/bid/49388
- http://www.opera.com/docs/changelogs/windows/1151/
- http://www.opera.com/docs/changelogs/mac/1151/
- http://osvdb.org/74829
- http://secunia.com/advisories/45791
- http://www.securitytracker.com/id?1025997
- http://eprint.iacr.org/2004/111
- https://bugzilla.redhat.com/show_bug.cgi?id=737506
- http://ekoparty.org/2011/juliano-rizzo.php
- http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
- https://bugzilla.novell.com/show_bug.cgi?id=719047
- http://www.insecure.cl/Beast-SSL.rar
- http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
- http://eprint.iacr.org/2006/136
- http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
- http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
- http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
- http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
- http://technet.microsoft.com/security/advisory/2588513
- http://support.apple.com/kb/HT4999
- http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
- http://support.apple.com/kb/HT5001
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
- http://www.securitytracker.com/id?1026103
- http://www.securityfocus.com/bid/49778
- http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
- http://www.redhat.com/support/errata/RHSA-2011-1384.html
- http://vnhacker.blogspot.com/2011/09/beast.html
- http://www.kb.cert.org/vuls/id/864643
- http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
- http://www.ibm.com/developerworks/java/jdk/alerts/
- http://www.opera.com/docs/changelogs/windows/1160/
- http://www.opera.com/docs/changelogs/mac/1160/
- http://www.opera.com/support/kb/view/1004/
- http://www.opera.com/docs/changelogs/unix/1160/
- http://www.redhat.com/support/errata/RHSA-2012-0006.html
- http://support.apple.com/kb/HT5130
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://marc.info/?l=bugtraq&m=132872385320240&w=2
- http://support.apple.com/kb/HT5281
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
- http://support.apple.com/kb/HT5501
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://secunia.com/advisories/49198
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
- https://hermes.opensuse.org/messages/13155432
- https://hermes.opensuse.org/messages/13154861
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
- http://marc.info/?l=bugtraq&m=132750579901589&w=2
- http://secunia.com/advisories/48692
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
- http://secunia.com/advisories/48948
- http://secunia.com/advisories/48915
- http://www.us-cert.gov/cas/techalerts/TA12-010A.html
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
- http://secunia.com/advisories/55351
- http://secunia.com/advisories/55322
- http://secunia.com/advisories/55350
- http://www.securitytracker.com/id/1029190
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
- http://www.ubuntu.com/usn/USN-1263-1
- http://support.apple.com/kb/HT6150
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://downloads.asterisk.org/pub/security/AST-2016-001.html
- http://marc.info/?l=bugtraq&m=134254957702612&w=2
- http://marc.info/?l=bugtraq&m=133365109612558&w=2
- http://marc.info/?l=bugtraq&m=133728004526190&w=2
- http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
- http://marc.info/?l=bugtraq&m=134254866602253&w=2
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
- http://rhn.redhat.com/errata/RHSA-2012-0508.html
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://secunia.com/advisories/48256
- http://www.securitytracker.com/id?1026704
- http://secunia.com/advisories/47998
- http://www.debian.org/security/2012/dsa-2398
- http://curl.haxx.se/docs/adv_20120124B.html
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://www.ekoparty.org/2011/juliano-rizzo.php
- http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
- http://www.openssl.org/~bodo/tls-cbc.txt
- http://cvs.openssl.org/chngview?cn=6452
- https://access.redhat.com/security/cve/CVE-2011-3389
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506
- http://www.gnu.org/software/gnutls/security.html
- https://rhn.redhat.com/errata/RHSA-2011-1380.html
- https://rhn.redhat.com/errata/RHSA-2011-1384.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c16
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c17
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c1
- https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c89
- https://rhn.redhat.com/errata/RHSA-2012-0006.html
- https://rhn.redhat.com/errata/RHSA-2012-0034.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=702111
- http://bugs.python.org/issue13885
- http://hg.python.org/cpython/rev/9a4131ada792
- https://rhn.redhat.com/errata/RHSA-2012-0343.html
- https://rhn.redhat.com/errata/RHSA-2012-0508.html
- http://www.educatedguesswork.org/2011/11/rizzoduong_beast_countermeasur.html
- https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c19
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c23
- https://rhn.redhat.com/errata/RHBA-2012-0337.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=770682#c11
- http://pkgs.fedoraproject.org/gitweb/?p=nss.git;a=commitdiff;h=40928cb8e33ef2b3cc7adc988f87fa36e7f00261
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c34
- https://rhn.redhat.com/errata/RHSA-2012-1088.html
- https://rhn.redhat.com/errata/RHSA-2012-1089.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c44
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c45
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c30
- http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder
- http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=921947
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c36
- https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat
- http://cr.yp.to/talks/2013.03.12/slides.pdf
- http://www.forbes.com/sites/andygreenberg/2013/03/13/cryptographers-show-mathematically-crackable-flaws-in-common-web-encryption/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c38
- http://www.forbes.com/sites/andygreenberg/2013/03/13/cryptographers-show
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c37
- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86440
- https://rhn.redhat.com/errata/RHSA-2013-1455.html
- https://rhn.redhat.com/errata/RHBA-2013-1585.html
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes
- https://rhn.redhat.com/errata/RHBA-2013-1318.html
- https://rhn.redhat.com/errata/RHBA-2013-0445.html
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.15.1_release_notes
- https://rhn.redhat.com/errata/RHSA-2013-1791.html
- https://rhn.redhat.com/errata/RHBA-2013-1558.html
- https://www.cve.org/CVERecord?id=CVE-2011-3389 https://nvd.nist.gov/vuln/detail/CVE-2011-3389
- https://access.redhat.com/errata/RHSA-2011:1384
- https://access.redhat.com/errata/RHSA-2012:0006
- https://access.redhat.com/errata/RHSA-2012:0034
- https://access.redhat.com/errata/RHSA-2011:1380
- https://access.redhat.com/errata/RHSA-2013:1455
- https://access.redhat.com/errata/RHSA-2012:0343
- https://access.redhat.com/errata/RHSA-2012:0508
- https://bugzilla.mozilla.org/show_bug.cgi?id=665814
- https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab
- http://downloads.digium.com/pub/security/AST-2016-001.html
- https://issues.asterisk.org/jira/browse/ASTERISK-24972
- https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4
- https://security-tracker.debian.org/tracker/CVE-2011-3389
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2011-3389?
CVE-2011-3389 has been classified as a critical vulnerability impacting SSL/TLS, allowing for block-wise chosen-plaintext attacks.
How do I fix CVE-2011-3389?
To mitigate CVE-2011-3389, upgrade to the recommended patched versions of the affected Java packages provided by Red Hat and Debian.
What software is affected by CVE-2011-3389?
CVE-2011-3389 affects various versions of Java, browsers like Opera, Internet Explorer, Google Chrome, and Mozilla Firefox, among others.
Can CVE-2011-3389 be exploited remotely?
Yes, CVE-2011-3389 can be exploited remotely, allowing attackers to execute unauthorized actions on a vulnerable system.
Is CVE-2011-3389 still a problem today?
While CVE-2011-3389 was disclosed in 2011, it remains relevant for older systems that have not been updated or patched.
- collector/redhat-cve
- agent/type
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-3389
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/trending
- agent/source
- collector/nvd-historical
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/opera
- canonical/opera
- vendor/microsoft
- canonical/internet explorer
- canonical/microsoft windows
- vendor/google
- canonical/google chrome
- vendor/mozilla
- canonical/mozilla firefox
- vendor/haxx
- canonical/haxx curl
- version/haxx curl/7.10.6
- version/haxx curl/7.23.1
- vendor/redhat
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/5.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/6.2
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/5.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux desktop/5.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/6.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/5.0
- version/debian debian linux/6.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/10.10
- version/ubuntu linux/11.04
- version/ubuntu linux/11.10
- version/ubuntu linux/10.04
- vendor/siemens
- canonical/siemens simatic rf68xr firmware
- canonical/siemens simatic rf615r firmware