CVE-2011-3389: Weak Encryption
First published: Tue Sep 06 2011(Updated: )
Juliano Rizzo announced: [1] <a href="http://www.ekoparty.org/2011/juliano-rizzo.php">http://www.ekoparty.org/2011/juliano-rizzo.php</a> that at ekoparty Security Conference, from 2011-09-21 to 2011-09-23 they will present a new fast block-wise chosen-plaintext attack against SSL/TLS. One application of the attack should allow the adversary to efficiently decrypt and obtain authentication tokens and cookies from HTTPS requests. The Red Hat Security Response Team is watching progress on this one and once further details are available, we will immediately react to ensure timely manner updates for affected packages.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/java | <1.6.0-sun-1:1.6.0.29-1jpp.1.el4 | 1.6.0-sun-1:1.6.0.29-1jpp.1.el4 |
| redhat/java | <1.4.2-ibm-0:1.4.2.13.11-1jpp.1.el4 | 1.4.2-ibm-0:1.4.2.13.11-1jpp.1.el4 |
| redhat/java | <1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el4 | 1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el4 |
| redhat/java | <1.6.0-openjdk-1:1.6.0.0-1.23.1.9.10.el5_7 | 1.6.0-openjdk-1:1.6.0.0-1.23.1.9.10.el5_7 |
| redhat/java | <1.6.0-openjdk-1:1.6.0.0-1.40.1.9.10.el6_1 | 1.6.0-openjdk-1:1.6.0.0-1.40.1.9.10.el6_1 |
| redhat/java | <1.6.0-sun-1:1.6.0.29-1jpp.1.el6 | 1.6.0-sun-1:1.6.0.29-1jpp.1.el6 |
| redhat/java | <1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el6 | 1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el6 |
| redhat/java | <1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el5_9 | 1.6.0-ibm-1:1.6.0.14.0-1jpp.1.el5_9 |
| redhat/java | <1.4.2-ibm-sap-0:1.4.2.13.11.sap-1jpp.1.el4 | 1.4.2-ibm-sap-0:1.4.2.13.11.sap-1jpp.1.el4 |
| redhat/java | <1.4.2-ibm-sap-0:1.4.2.13.11.sap-1jpp.1.el5 | 1.4.2-ibm-sap-0:1.4.2.13.11.sap-1jpp.1.el5 |
| redhat/java | <1.6.0-sun-1:1.6.0.29-1jpp.1.el5 | 1.6.0-sun-1:1.6.0.29-1jpp.1.el5 |
| redhat/java | <1.4.2-ibm-0:1.4.2.13.11-1jpp.1.el5 | 1.4.2-ibm-0:1.4.2.13.11-1jpp.1.el5 |
| redhat/java | <1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el5 | 1.6.0-ibm-1:1.6.0.10.0-1jpp.2.el5 |
| redhat/java | <1.5.0-ibm-1:1.5.0.13.1-1jpp.1.el5 | 1.5.0-ibm-1:1.5.0.13.1-1jpp.1.el5 |
| redhat/java | <1.5.0-ibm-1:1.5.0.13.1-1jpp.2.el6_2 | 1.5.0-ibm-1:1.5.0.13.1-1jpp.2.el6_2 |
| debian/asterisk | 1:16.28.0~dfsg-0+deb11u4 1:20.8.1~dfsg+~cs6.14.40431414-1 | |
| debian/bouncycastle | 1.68-2 1.72-2 1.77-1 | |
| debian/curl | 7.74.0-1.3+deb11u12 7.74.0-1.3+deb11u11 7.88.1-10+deb12u6 7.88.1-10+deb12u5 8.8.0-4 8.9.1-1 | |
| debian/erlang | 1:23.2.6+dfsg-1+deb11u1 1:25.2.3+dfsg-1 1:25.3.2.12+dfsg-1 | |
| debian/gnutls28 | <=3.7.1-5+deb11u5<=3.7.1-5+deb11u3<=3.7.9-2+deb12u3<=3.8.6-2 | |
| debian/haskell-tls | <=1.5.4-1<=1.5.8-1<=1.6.0-1 | |
| debian/lighttpd | 1.4.59-1+deb11u2 1.4.69-1 1.4.76-1 | |
| debian/nss | 2:3.61-1+deb11u3 2:3.87.1-1 2:3.102-1 2:3.103-1 | |
| debian/pound | 3.0-2 4.12-1 | |
| debian/python2.7 | 2.7.18-8+deb11u1 | |
| Web Browser for Android | ||
| Internet Explorer | ||
| Microsoft Windows Operating System | ||
| Google Chrome | ||
| Firefox | ||
| Curl | >=7.10.6<=7.23.1 | |
| Red Hat Enterprise Linux Server | =5.0 | |
| Red Hat Enterprise Linux Server | =6.2 | |
| Red Hat Enterprise Linux Workstation | =5.0 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Red Hat Enterprise Linux Desktop | =5.0 | |
| Red Hat Enterprise Linux Server EUS | =6.2 | |
| Debian Linux | =5.0 | |
| Debian Linux | =6.0 | |
| Ubuntu | =10.10 | |
| Ubuntu | =11.04 | |
| Ubuntu | =11.10 | |
| Ubuntu | =10.04 | |
| Siemens Simatic RF68XR Firmware | <3.2.1 | |
| Siemens Simatic RF68XR Firmware | ||
| Siemens Simatic RF615R Firmware | <3.2.1 | |
| Siemens Simatic RF615R Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.opera.com/docs/changelogs/unix/1151/
- http://www.securityfocus.com/bid/49388
- http://www.opera.com/docs/changelogs/windows/1151/
- http://www.opera.com/docs/changelogs/mac/1151/
- http://osvdb.org/74829
- http://secunia.com/advisories/45791
- http://www.securitytracker.com/id?1025997
- http://eprint.iacr.org/2004/111
- https://bugzilla.redhat.com/show_bug.cgi?id=737506
- http://ekoparty.org/2011/juliano-rizzo.php
- http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
- https://bugzilla.novell.com/show_bug.cgi?id=719047
- http://www.insecure.cl/Beast-SSL.rar
- http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
- http://eprint.iacr.org/2006/136
- http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
- http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
- http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
- http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
- http://technet.microsoft.com/security/advisory/2588513
- http://support.apple.com/kb/HT4999
- http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
- http://support.apple.com/kb/HT5001
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
- http://www.securitytracker.com/id?1026103
- http://www.securityfocus.com/bid/49778
- http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
- http://www.redhat.com/support/errata/RHSA-2011-1384.html
- http://vnhacker.blogspot.com/2011/09/beast.html
- http://www.kb.cert.org/vuls/id/864643
- http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
- http://www.ibm.com/developerworks/java/jdk/alerts/
- http://www.opera.com/docs/changelogs/windows/1160/
- http://www.opera.com/docs/changelogs/mac/1160/
- http://www.opera.com/support/kb/view/1004/
- http://www.opera.com/docs/changelogs/unix/1160/
- http://www.redhat.com/support/errata/RHSA-2012-0006.html
- http://support.apple.com/kb/HT5130
- http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
- http://marc.info/?l=bugtraq&m=132872385320240&w=2
- http://support.apple.com/kb/HT5281
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
- http://support.apple.com/kb/HT5501
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://secunia.com/advisories/49198
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
- https://hermes.opensuse.org/messages/13155432
- https://hermes.opensuse.org/messages/13154861
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
- http://marc.info/?l=bugtraq&m=132750579901589&w=2
- http://secunia.com/advisories/48692
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
- http://secunia.com/advisories/48948
- http://secunia.com/advisories/48915
- http://www.us-cert.gov/cas/techalerts/TA12-010A.html
- https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
- http://secunia.com/advisories/55351
- http://secunia.com/advisories/55322
- http://secunia.com/advisories/55350
- http://www.securitytracker.com/id/1029190
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
- http://www.ubuntu.com/usn/USN-1263-1
- http://support.apple.com/kb/HT6150
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://downloads.asterisk.org/pub/security/AST-2016-001.html
- http://marc.info/?l=bugtraq&m=134254957702612&w=2
- http://marc.info/?l=bugtraq&m=133365109612558&w=2
- http://marc.info/?l=bugtraq&m=133728004526190&w=2
- http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
- http://marc.info/?l=bugtraq&m=134254866602253&w=2
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
- http://rhn.redhat.com/errata/RHSA-2012-0508.html
- http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
- http://security.gentoo.org/glsa/glsa-201203-02.xml
- http://secunia.com/advisories/48256
- http://www.securitytracker.com/id?1026704
- http://secunia.com/advisories/47998
- http://www.debian.org/security/2012/dsa-2398
- http://curl.haxx.se/docs/adv_20120124B.html
- https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
- http://www.ekoparty.org/2011/juliano-rizzo.php
- http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/
- http://www.openssl.org/~bodo/tls-cbc.txt
- http://cvs.openssl.org/chngview?cn=6452
- https://access.redhat.com/security/cve/CVE-2011-3389
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506
- http://www.gnu.org/software/gnutls/security.html
- https://rhn.redhat.com/errata/RHSA-2011-1380.html
- https://rhn.redhat.com/errata/RHSA-2011-1384.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c16
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c17
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c1
- https://bugzilla.mozilla.org/show_bug.cgi?id=665814#c89
- https://rhn.redhat.com/errata/RHSA-2012-0006.html
- https://rhn.redhat.com/errata/RHSA-2012-0034.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=702111
- http://bugs.python.org/issue13885
- http://hg.python.org/cpython/rev/9a4131ada792
- https://rhn.redhat.com/errata/RHSA-2012-0343.html
- https://rhn.redhat.com/errata/RHSA-2012-0508.html
- http://www.educatedguesswork.org/2011/11/rizzoduong_beast_countermeasur.html
- https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c19
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c23
- https://rhn.redhat.com/errata/RHBA-2012-0337.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=770682#c11
- http://pkgs.fedoraproject.org/gitweb/?p=nss.git;a=commitdiff;h=40928cb8e33ef2b3cc7adc988f87fa36e7f00261
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c34
- https://rhn.redhat.com/errata/RHSA-2012-1088.html
- https://rhn.redhat.com/errata/RHSA-2012-1089.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c44
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c45
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c30
- http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder
- http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslciphersuite
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=921947
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c36
- https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat
- http://cr.yp.to/talks/2013.03.12/slides.pdf
- http://www.forbes.com/sites/andygreenberg/2013/03/13/cryptographers-show-mathematically-crackable-flaws-in-common-web-encryption/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c38
- http://www.forbes.com/sites/andygreenberg/2013/03/13/cryptographers-show
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=737506#c37
- https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk86440
- https://rhn.redhat.com/errata/RHSA-2013-1455.html
- https://rhn.redhat.com/errata/RHBA-2013-1585.html
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.14_release_notes
- https://rhn.redhat.com/errata/RHBA-2013-1318.html
- https://rhn.redhat.com/errata/RHBA-2013-0445.html
- https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.15.1_release_notes
- https://rhn.redhat.com/errata/RHSA-2013-1791.html
- https://rhn.redhat.com/errata/RHBA-2013-1558.html
- https://www.cve.org/CVERecord?id=CVE-2011-3389 https://nvd.nist.gov/vuln/detail/CVE-2011-3389
- https://access.redhat.com/errata/RHSA-2011:1384
- https://access.redhat.com/errata/RHSA-2012:0006
- https://access.redhat.com/errata/RHSA-2012:0034
- https://access.redhat.com/errata/RHSA-2011:1380
- https://access.redhat.com/errata/RHSA-2013:1455
- https://access.redhat.com/errata/RHSA-2012:0343
- https://access.redhat.com/errata/RHSA-2012:0508
- https://bugzilla.mozilla.org/show_bug.cgi?id=665814
- https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab
- http://downloads.digium.com/pub/security/AST-2016-001.html
- https://issues.asterisk.org/jira/browse/ASTERISK-24972
- https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4
- https://security-tracker.debian.org/tracker/CVE-2011-3389
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2011-3389?
CVE-2011-3389 has been classified as a critical vulnerability impacting SSL/TLS, allowing for block-wise chosen-plaintext attacks.
How do I fix CVE-2011-3389?
To mitigate CVE-2011-3389, upgrade to the recommended patched versions of the affected Java packages provided by Red Hat and Debian.
What software is affected by CVE-2011-3389?
CVE-2011-3389 affects various versions of Java, browsers like Opera, Internet Explorer, Google Chrome, and Mozilla Firefox, among others.
Can CVE-2011-3389 be exploited remotely?
Yes, CVE-2011-3389 can be exploited remotely, allowing attackers to execute unauthorized actions on a vulnerable system.
Is CVE-2011-3389 still a problem today?
While CVE-2011-3389 was disclosed in 2011, it remains relevant for older systems that have not been updated or patched.
- collector/redhat-cve
- agent/type
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-3389
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/opera
- canonical/web browser for android
- vendor/microsoft
- canonical/internet explorer
- canonical/microsoft windows operating system
- vendor/google
- canonical/google chrome
- vendor/mozilla
- canonical/firefox
- vendor/haxx
- canonical/curl
- version/curl/7.10.6
- version/curl/7.23.1
- vendor/redhat
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/5.0
- version/red hat enterprise linux server/6.2
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/5.0
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/6.0
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux workstation/6.0
- version/red hat enterprise linux desktop/5.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/6.2
- vendor/debian
- canonical/debian linux
- version/debian linux/5.0
- version/debian linux/6.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/10.10
- version/ubuntu/11.04
- version/ubuntu/11.10
- version/ubuntu/10.04
- vendor/siemens
- canonical/siemens simatic rf68xr firmware
- canonical/siemens simatic rf615r firmware