CVE-2011-4576
First published: Fri Jan 06 2012(Updated: )
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL libcrypto | =0.9.8b | |
| OpenSSL libcrypto | =0.9.7l | |
| OpenSSL libcrypto | =0.9.6i | |
| OpenSSL libcrypto | =0.9.8m | |
| OpenSSL libcrypto | =0.9.8c | |
| OpenSSL libcrypto | =0.9.7c | |
| OpenSSL libcrypto | =0.9.8n | |
| OpenSSL libcrypto | =0.9.8p | |
| OpenSSL libcrypto | =0.9.6d | |
| OpenSSL libcrypto | =0.9.1c | |
| OpenSSL libcrypto | =0.9.6 | |
| OpenSSL libcrypto | =0.9.7j | |
| OpenSSL libcrypto | =0.9.6a | |
| OpenSSL libcrypto | =0.9.8e | |
| OpenSSL libcrypto | =0.9.6h-bogus | |
| OpenSSL libcrypto | =0.9.4 | |
| OpenSSL libcrypto | =0.9.8g | |
| OpenSSL libcrypto | =0.9.8k | |
| OpenSSL libcrypto | =0.9.8d | |
| OpenSSL libcrypto | =0.9.5a | |
| OpenSSL libcrypto | =0.9.6f | |
| OpenSSL libcrypto | =0.9.8j | |
| OpenSSL libcrypto | =0.9.6l | |
| OpenSSL libcrypto | =0.9.7k | |
| OpenSSL libcrypto | =0.9.7g | |
| OpenSSL libcrypto | <=0.9.8r | |
| OpenSSL libcrypto | =0.9.6e | |
| OpenSSL libcrypto | =0.9.7d | |
| OpenSSL libcrypto | =0.9.8l | |
| OpenSSL libcrypto | =0.9.7 | |
| OpenSSL libcrypto | =0.9.6b | |
| OpenSSL libcrypto | =0.9.7e | |
| OpenSSL libcrypto | =0.9.7b | |
| OpenSSL libcrypto | =0.9.6k | |
| OpenSSL libcrypto | =0.9.8a | |
| OpenSSL libcrypto | =0.9.6g | |
| OpenSSL libcrypto | =0.9.7m | |
| OpenSSL libcrypto | =0.9.6h | |
| OpenSSL libcrypto | =0.9.7i | |
| OpenSSL libcrypto | =0.9.7h | |
| OpenSSL libcrypto | =0.9.8o | |
| OpenSSL libcrypto | =0.9.8q | |
| OpenSSL libcrypto | =0.9.6j | |
| OpenSSL libcrypto | =0.9.8 | |
| OpenSSL libcrypto | =0.9.7a | |
| OpenSSL libcrypto | =0.9.6c | |
| OpenSSL libcrypto | =0.9.6m | |
| OpenSSL libcrypto | =0.9.8i | |
| OpenSSL libcrypto | =0.9.8f | |
| OpenSSL libcrypto | =0.9.8h | |
| OpenSSL libcrypto | =0.9.2b | |
| OpenSSL libcrypto | =0.9.5 | |
| OpenSSL libcrypto | =0.9.7f | |
| OpenSSL libcrypto | =1.0.0c | |
| OpenSSL libcrypto | =1.0.0-beta1 | |
| OpenSSL libcrypto | =1.0.0-beta2 | |
| OpenSSL libcrypto | =1.0.0-beta3 | |
| OpenSSL libcrypto | =1.0.0d | |
| OpenSSL libcrypto | <=1.0.0e | |
| OpenSSL libcrypto | =1.0.0-beta4 | |
| OpenSSL libcrypto | =1.0.0 | |
| OpenSSL libcrypto | =1.0.0-beta5 | |
| OpenSSL libcrypto | =1.0.0a | |
| OpenSSL libcrypto | =1.0.0b |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openssl.org/news/secadv_20120104.txt
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:006
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:007
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.html
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
- http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc
- http://secunia.com/advisories/48528
- http://rhn.redhat.com/errata/RHSA-2012-1306.html
- http://rhn.redhat.com/errata/RHSA-2012-1307.html
- http://rhn.redhat.com/errata/RHSA-2012-1308.html
- http://www.debian.org/security/2012/dsa-2390
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://support.apple.com/kb/HT5784
- http://marc.info/?l=bugtraq&m=132750648501816&w=2
- http://marc.info/?l=bugtraq&m=134039053214295&w=2
- http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html
- http://www.kb.cert.org/vuls/id/737740
- http://secunia.com/advisories/55069
- http://secunia.com/advisories/57353
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
- http://marc.info/?l=bugtraq&m=133951357207000&w=2
Frequently Asked Questions
What is the severity of CVE-2011-4576?
CVE-2011-4576 has been rated as a moderate severity vulnerability due to the potential for sensitive information disclosure.
How do I fix CVE-2011-4576?
To fix CVE-2011-4576, upgrade to a version of OpenSSL that is not affected, specifically version 0.9.8s or later or 1.0.0f or later.
What are the affected versions in CVE-2011-4576?
CVE-2011-4576 affects OpenSSL versions from 0.9.1c to 0.9.8r and 1.0.0-beta1 to 1.0.0e.
Can exploiting CVE-2011-4576 allow remote attacks?
Yes, exploiting CVE-2011-4576 can allow remote attackers to gain access to sensitive information by decrypting padding data.
Is CVE-2011-4576 still a risk today?
As of now, CVE-2011-4576 is a risk if legacy versions of OpenSSL are still in use, especially in sensitive applications.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/openssl
- canonical/openssl libcrypto
- version/openssl libcrypto/0.9.8b
- version/openssl libcrypto/0.9.7l
- version/openssl libcrypto/0.9.6i
- version/openssl libcrypto/0.9.8m
- version/openssl libcrypto/0.9.8c
- version/openssl libcrypto/0.9.7c
- version/openssl libcrypto/0.9.8n
- version/openssl libcrypto/0.9.8p
- version/openssl libcrypto/0.9.6d
- version/openssl libcrypto/0.9.1c
- version/openssl libcrypto/0.9.6
- version/openssl libcrypto/0.9.7j
- version/openssl libcrypto/0.9.6a
- version/openssl libcrypto/0.9.8e
- version/openssl libcrypto/0.9.6h-bogus
- version/openssl libcrypto/0.9.4
- version/openssl libcrypto/0.9.8g
- version/openssl libcrypto/0.9.8k
- version/openssl libcrypto/0.9.8d
- version/openssl libcrypto/0.9.5a
- version/openssl libcrypto/0.9.6f
- version/openssl libcrypto/0.9.8j
- version/openssl libcrypto/0.9.6l
- version/openssl libcrypto/0.9.7k
- version/openssl libcrypto/0.9.7g
- version/openssl libcrypto/0.9.8r
- version/openssl libcrypto/0.9.6e
- version/openssl libcrypto/0.9.7d
- version/openssl libcrypto/0.9.8l
- version/openssl libcrypto/0.9.7
- version/openssl libcrypto/0.9.6b
- version/openssl libcrypto/0.9.7e
- version/openssl libcrypto/0.9.7b
- version/openssl libcrypto/0.9.6k
- version/openssl libcrypto/0.9.8a
- version/openssl libcrypto/0.9.6g
- version/openssl libcrypto/0.9.7m
- version/openssl libcrypto/0.9.6h
- version/openssl libcrypto/0.9.7i
- version/openssl libcrypto/0.9.7h
- version/openssl libcrypto/0.9.8o
- version/openssl libcrypto/0.9.8q
- version/openssl libcrypto/0.9.6j
- version/openssl libcrypto/0.9.8
- version/openssl libcrypto/0.9.7a
- version/openssl libcrypto/0.9.6c
- version/openssl libcrypto/0.9.6m
- version/openssl libcrypto/0.9.8i
- version/openssl libcrypto/0.9.8f
- version/openssl libcrypto/0.9.8h
- version/openssl libcrypto/0.9.2b
- version/openssl libcrypto/0.9.5
- version/openssl libcrypto/0.9.7f
- version/openssl libcrypto/1.0.0c
- version/openssl libcrypto/1.0.0-beta1
- version/openssl libcrypto/1.0.0-beta2
- version/openssl libcrypto/1.0.0-beta3
- version/openssl libcrypto/1.0.0d
- version/openssl libcrypto/1.0.0e
- version/openssl libcrypto/1.0.0-beta4
- version/openssl libcrypto/1.0.0
- version/openssl libcrypto/1.0.0-beta5
- version/openssl libcrypto/1.0.0a
- version/openssl libcrypto/1.0.0b