CVE - CVE-2015-0204

CVE-ID
CVE-2015-0204	Learn more at National Vulnerability Database (NVD) • Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings
Description
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role, related to the "FREAK" issue. NOTE: the scope of this CVE is only client code based on OpenSSL, not EXPORT_RSA issues associated with servers or other TLS implementations.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:https://freakattack.com/ CONFIRM:http://support.novell.com/security/cve/CVE-2015-0204.html CONFIRM:https://github.com/openssl/openssl/commit/ce325c60c74b0fa784f5872404b722e120e5cab0 CONFIRM:https://www.openssl.org/news/secadv_20150108.txt CONFIRM:https://www.openssl.org/news/secadv_20150319.txt CONFIRM:https://support.apple.com/HT204659 CONFIRM:http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html CONFIRM:http://www-01.ibm.com/support/docview.wss?uid=swg21883640 CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html CONFIRM:http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html CONFIRM:http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html CONFIRM:http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html CONFIRM:http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html CONFIRM:https://bto.bluecoat.com/security-advisory/sa88 CONFIRM:http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679 CONFIRM:https://bto.bluecoat.com/security-advisory/sa91 CONFIRM:https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241 CONFIRM:http://www-304.ibm.com/support/docview.wss?uid=swg21960769 CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10102 CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10108 CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10110 APPLE:APPLE-SA-2015-04-08-2 URL:http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html CISCO:20150310 Multiple Vulnerabilities in OpenSSL (January 2015) Affecting Cisco Products URL:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl DEBIAN:DSA-3125 URL:http://www.debian.org/security/2015/dsa-3125 GENTOO:GLSA-201503-11 URL:https://security.gentoo.org/glsa/201503-11 HP:HPSBUX03244 URL:http://marc.info/?l=bugtraq&m=142496289803847&w=2 HP:SSRT101885 URL:http://marc.info/?l=bugtraq&m=142496289803847&w=2 HP:HPSBGN03299 URL:http://marc.info/?l=bugtraq&m=142720981827617&w=2 HP:HPSBHF03289 URL:http://marc.info/?l=bugtraq&m=142721102728110&w=2 HP:SSRT101987 URL:http://marc.info/?l=bugtraq&m=142720981827617&w=2 HP:HPSBMU03345 URL:http://marc.info/?l=bugtraq&m=144043644216842&w=2 HP:HPSBMU03380 URL:http://marc.info/?l=bugtraq&m=143748090628601&w=2 HP:HPSBMU03396 URL:http://marc.info/?l=bugtraq&m=144050205101530&w=2 HP:HPSBMU03397 URL:http://marc.info/?l=bugtraq&m=144050297101809&w=2 HP:HPSBMU03409 URL:http://marc.info/?l=bugtraq&m=144050155601375&w=2 HP:HPSBMU03413 URL:http://marc.info/?l=bugtraq&m=144050254401665&w=2 HP:HPSBOV03318 URL:http://marc.info/?l=bugtraq&m=142895206924048&w=2 HP:HPSBUX03162 URL:http://marc.info/?l=bugtraq&m=142496179803395&w=2 HP:HPSBUX03334 URL:http://marc.info/?l=bugtraq&m=143213830203296&w=2 HP:SSRT102000 URL:http://marc.info/?l=bugtraq&m=143213830203296&w=2 MANDRIVA:MDVSA-2015:019 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2015:019 MANDRIVA:MDVSA-2015:062 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 MANDRIVA:MDVSA-2015:063 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2015:063 REDHAT:RHSA-2015:0066 URL:http://rhn.redhat.com/errata/RHSA-2015-0066.html REDHAT:RHSA-2015:0800 URL:http://rhn.redhat.com/errata/RHSA-2015-0800.html REDHAT:RHSA-2015:0849 URL:http://rhn.redhat.com/errata/RHSA-2015-0849.html REDHAT:RHSA-2016:1650 URL:http://rhn.redhat.com/errata/RHSA-2016-1650.html SUSE:openSUSE-SU-2015:0130 URL:http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.html SUSE:SUSE-SU-2015:0578 URL:http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html SUSE:SUSE-SU-2015:0946 URL:http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.html SUSE:openSUSE-SU-2016:0640 URL:http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html SUSE:SUSE-SU-2016:0113 URL:http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.html SUSE:SUSE-SU-2015:2166 URL:http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.html SUSE:SUSE-SU-2015:2168 URL:http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00001.html SUSE:SUSE-SU-2015:2182 URL:http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00003.html SUSE:SUSE-SU-2015:2192 URL:http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.html SUSE:SUSE-SU-2015:2216 URL:http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00006.html SUSE:SUSE-SU-2015:1085 URL:http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html SUSE:SUSE-SU-2015:1086 URL:http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html SUSE:SUSE-SU-2015:1138 URL:http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.html SUSE:SUSE-SU-2015:1161 URL:http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.html BID:91787 URL:http://www.securityfocus.com/bid/91787 BID:71936 URL:http://www.securityfocus.com/bid/71936 SECTRACK:1033378 URL:http://www.securitytracker.com/id/1033378 XF:openssl-cve20150204-weak-security(99707) URL:http://xforce.iss.net/xforce/xfdb/99707
Date Entry Created
20141118	Disclaimer: The entry creation date may reflect when the CVE-ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20141118)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE list, which standardizes names for security problems.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: [email protected]

Common Vulnerabilities and Exposures

CVE-2015-0204