First published: Tue Aug 23 2016(Updated: )
A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24-httpd | <0:2.4.23-122.jbcs.el6 | 0:2.4.23-122.jbcs.el6 |
redhat/jbcs-httpd24-openssl | <1:1.0.2h-14.jbcs.el6 | 1:1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-httpd | <0:2.4.23-122.jbcs.el7 | 0:2.4.23-122.jbcs.el7 |
redhat/jbcs-httpd24-openssl | <1:1.0.2h-14.jbcs.el7 | 1:1.0.2h-14.jbcs.el7 |
redhat/java | <1.7.0-ibm-1:1.7.0.10.1-1jpp.1.el5_11 | 1.7.0-ibm-1:1.7.0.10.1-1jpp.1.el5_11 |
redhat/java | <1.6.0-ibm-1:1.6.0.16.41-1jpp.1.el5_11 | 1.6.0-ibm-1:1.6.0.16.41-1jpp.1.el5_11 |
redhat/java | <1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8 | 1.7.1-ibm-1:1.7.1.4.1-1jpp.1.el6_8 |
redhat/java | <1.6.0-ibm-1:1.6.0.16.41-1jpp.1.el6_8 | 1.6.0-ibm-1:1.6.0.16.41-1jpp.1.el6_8 |
redhat/java | <1.8.0-ibm-1:1.8.0.4.1-1jpp.1.el6_8 | 1.8.0-ibm-1:1.8.0.4.1-1jpp.1.el6_8 |
redhat/python | <0:2.7.5-69.el7_5 | 0:2.7.5-69.el7_5 |
redhat/java | <1.7.1-ibm-1:1.7.1.4.1-1jpp.2.el7 | 1.7.1-ibm-1:1.7.1.4.1-1jpp.2.el7 |
redhat/java | <1.8.0-ibm-1:1.8.0.4.1-1jpp.2.el7 | 1.8.0-ibm-1:1.8.0.4.1-1jpp.2.el7 |
redhat/httpd | <0:2.2.26-57.ep6.el6 | 0:2.2.26-57.ep6.el6 |
redhat/httpd22 | <0:2.2.26-58.ep6.el7 | 0:2.2.26-58.ep6.el7 |
redhat/tomcat6 | <0:6.0.41-19_patch_04.ep6.el6 | 0:6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat7 | <0:7.0.54-28_patch_05.ep6.el6 | 0:7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat6 | <0:6.0.41-19_patch_04.ep6.el7 | 0:6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat7 | <0:7.0.54-28_patch_05.ep6.el7 | 0:7.0.54-28_patch_05.ep6.el7 |
Redhat Jboss Enterprise Application Platform | =6.0.0 | |
Redhat Jboss Enterprise Web Server | =1.0.0 | |
Redhat Jboss Enterprise Web Server | =2.0.0 | |
Redhat Jboss Web Server | =3.0 | |
Redhat Enterprise Linux | =5.0 | |
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
Python Python | >=2.7.0<2.7.13 | |
Python Python | >=3.4.0<3.4.7 | |
Python Python | >=3.5.0<3.5.3 | |
Cisco Content Security Management Appliance | =9.6.6-068 | |
Cisco Content Security Management Appliance | =9.7.0-006 | |
OpenSSL OpenSSL | =1.0.1a | |
OpenSSL OpenSSL | =1.0.1b | |
OpenSSL OpenSSL | =1.0.1c | |
OpenSSL OpenSSL | =1.0.1d | |
OpenSSL OpenSSL | =1.0.1e | |
OpenSSL OpenSSL | =1.0.1f | |
OpenSSL OpenSSL | =1.0.1g | |
OpenSSL OpenSSL | =1.0.1h | |
OpenSSL OpenSSL | =1.0.1i | |
OpenSSL OpenSSL | =1.0.1j | |
OpenSSL OpenSSL | =1.0.1k | |
OpenSSL OpenSSL | =1.0.1l | |
OpenSSL OpenSSL | =1.0.1m | |
OpenSSL OpenSSL | =1.0.1n | |
OpenSSL OpenSSL | =1.0.1o | |
OpenSSL OpenSSL | =1.0.1p | |
OpenSSL OpenSSL | =1.0.1q | |
OpenSSL OpenSSL | =1.0.1r | |
OpenSSL OpenSSL | =1.0.1t | |
OpenSSL OpenSSL | =1.0.2a | |
OpenSSL OpenSSL | =1.0.2b | |
OpenSSL OpenSSL | =1.0.2c | |
OpenSSL OpenSSL | =1.0.2d | |
OpenSSL OpenSSL | =1.0.2e | |
OpenSSL OpenSSL | =1.0.2f | |
OpenSSL OpenSSL | =1.0.2h | |
Oracle Database | =11.2.0.4 | |
Oracle Database | =12.1.0.2 | |
Nodejs Node.js | >=0.10.0<0.10.47 | |
Nodejs Node.js | >=0.12.0<0.12.16 | |
Nodejs Node.js | >=4.0.0<4.1.2 | |
Nodejs Node.js | >=4.2.0<4.6.0 | |
Nodejs Node.js | >=6.0.0<6.7.0 | |
GE Weakness in UR bootloader binary: all bootloader versions prior to 7.03/7.04 |
1.SSL/TLS configurations should prefer AES over DES. Versions of OpenSSL shipped with Red Hat Enterprise Linux 6 and 7 already do so. In the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 3DES is listed below the AES-256 cipher and above the AES-128 cipher, therefore AES-256 based ciphersuite should not be disabled on the server. 2. Servers using OpenSSL, should not disable AES-128 and AES-256 ciphersuites. Versions of Apache shipped with Red Hat Enterprise Linux use the default cipher string, in which AES is preferred over DES/3DES based ciphersuites. For JBoss Middleware, and Java mitigations, please review this knowledge base article: https://access.redhat.com/articles/2598471 This can be mitigated on OpenShift Container Platform (OCP) by disabling the vulnerable TLS cipher suite in the applicable component. TLS configuration options for OCP are described here: https://access.redhat.com/articles/5348961
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)