Vulnerability Name: CVE-2008-7270 (CCN-63770) Assigned: 2010-12-02 Published: 2010-12-02 Updated: 2012-04-06 Summary: OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180 . CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N )3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N )3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N )3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-310 Vulnerability Consequences: Bypass Security References: Source: MITRE Type: CNACVE-2008-7270 Source: CONFIRM Type: UNKNOWNhttp://cvs.openssl.org/chngview?cn=17489 Source: CCN Type: HPSBHF02706 SSRT100613 rev.1HP Integrated Lights-Out iLO2 and iLO3 running SSL/TLS, Denial of Service (DoS), Unauthorized Modification Source: CCN Type: HP Security Bulletin HPSBMU02759 SSRT100817HP Onboard Administrator (OA), Remote Unauthorized Access, Unauthorized Information Disclosure, Denial of Service (DoS), URL Redirection Source: HP Type: UNKNOWNHPSBHF02706 Source: CCN Type: RHSA-2010-0977Moderate: openssl security update Source: CCN Type: RHSA-2010-0978Moderate: openssl security update Source: SECUNIA Type: Vendor Advisory42493 Source: CCN Type: SA43587syslog-ng Premium Edition Multiple Vulnerabilities Source: CCN Type: SA43620syslog-ng Premium Edition Multiple Vulnerabilities Source: CCN Type: SA44286Oracle Solaris OpenSSL Ciphersuite Downgrade Vulnerability Source: CCN Type: SA46777HP Integrated Lights-Out OpenSSL Security Bypass and Data Manipulation Vulnerabilities Source: CCN Type: SA54191HP Multiple ProCurve Switches OpenSSL Vulnerability Source: UBUNTU Type: UNKNOWNUSN-1029-1 Source: CCN Type: OpenSSL Security Advisory [2 December 2010]OpenSSL Ciphersuite Downgrade Attack Source: REDHAT Type: UNKNOWNRHSA-2010:0977 Source: REDHAT Type: UNKNOWNRHSA-2010:0978 Source: REDHAT Type: UNKNOWNRHSA-2011:0896 Source: HP Type: UNKNOWNSSRT100817 Source: BID Type: UNKNOWN45254 Source: CCN Type: BID-45254OpenSSL Ciphersuite Modification Allows Disabled Cipher Security Bypass Vulnerability Source: CONFIRM Type: UNKNOWNhttps://bugzilla.redhat.com/show_bug.cgi?id=659462 Source: XF Type: UNKNOWNopenssl-sslopnetscape-security-bypass(63770) Source: CCN Type: HP Security Bulletin HPSBPV02891 rev.1HP ProCurve Switches, Remote Unauthorized Information Disclosure Source: CCN Type: syslog-ng-announcesyslog-ng Premium Edition 4.0.1a has been released Vulnerable Configuration: Configuration 1 :cpe:/a:openssl:openssl:0.9.1c:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.2b:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.3:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.3a:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.4:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.5:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.5:beta1:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.5:beta2:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.5a:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.5a:beta1:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.5a:beta2:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6:beta1:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6:beta2:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6:beta3:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6a:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6a:beta1:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6a:beta2:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6a:beta3:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6b:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6c:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6d:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6e:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6f:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6g:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6h:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6i:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6j:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6k:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6l:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.6m:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7:beta4:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7:beta5:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7:beta6:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7a:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7b:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7c:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7d:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7e:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7f:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7g:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7h:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7i:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7j:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7k:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7l:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.7m:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8a:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8b:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8c:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8d:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8e:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8f:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8g:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8h:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:*:*:*:*:*:*:*:* (Version <= 0.9.8i) Configuration RedHat 1 :cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* Configuration RedHat 3 :cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* Configuration RedHat 4 :cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* Configuration RedHat 5 :cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* Configuration RedHat 6 :cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* Configuration RedHat 7 :cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:* Configuration RedHat 8 :cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:* Configuration RedHat 9 :cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:* Configuration CCN 1 :cpe:/a:openssl:openssl:0.9.8h:*:*:*:*:*:*:* OR cpe:/a:openssl:openssl:0.9.8i:*:*:*:*:*:*:* OR cpe:/a:hp:onboard_administrator:3.21:*:*:*:*:*:*:* OR cpe:/a:hp:onboard_administrator:3.31:*:*:*:*:*:*:* OR cpe:/a:hp:onboard_administrator:3.32:*:*:*:*:*:*:* AND cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:* OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:* OR cpe:/h:hp:procurve_switch_2610:*:*:*:*:*:*:*:* OR cpe:/h:hp:procurve_switch_1600m:-:*:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
openssl openssl 0.9.1c
openssl openssl 0.9.2b
openssl openssl 0.9.3
openssl openssl 0.9.3a
openssl openssl 0.9.4
openssl openssl 0.9.5
openssl openssl 0.9.5 beta1
openssl openssl 0.9.5 beta2
openssl openssl 0.9.5a
openssl openssl 0.9.5a beta1
openssl openssl 0.9.5a beta2
openssl openssl 0.9.6
openssl openssl 0.9.6 beta1
openssl openssl 0.9.6 beta2
openssl openssl 0.9.6 beta3
openssl openssl 0.9.6a
openssl openssl 0.9.6a beta1
openssl openssl 0.9.6a beta2
openssl openssl 0.9.6a beta3
openssl openssl 0.9.6b
openssl openssl 0.9.6c
openssl openssl 0.9.6d
openssl openssl 0.9.6e
openssl openssl 0.9.6f
openssl openssl 0.9.6g
openssl openssl 0.9.6h
openssl openssl 0.9.6i
openssl openssl 0.9.6j
openssl openssl 0.9.6k
openssl openssl 0.9.6l
openssl openssl 0.9.6m
openssl openssl 0.9.7
openssl openssl 0.9.7 beta1
openssl openssl 0.9.7 beta2
openssl openssl 0.9.7 beta3
openssl openssl 0.9.7 beta4
openssl openssl 0.9.7 beta5
openssl openssl 0.9.7 beta6
openssl openssl 0.9.7a
openssl openssl 0.9.7b
openssl openssl 0.9.7c
openssl openssl 0.9.7d
openssl openssl 0.9.7e
openssl openssl 0.9.7f
openssl openssl 0.9.7g
openssl openssl 0.9.7h
openssl openssl 0.9.7i
openssl openssl 0.9.7j
openssl openssl 0.9.7k
openssl openssl 0.9.7l
openssl openssl 0.9.7m
openssl openssl 0.9.8
openssl openssl 0.9.8a
openssl openssl 0.9.8b
openssl openssl 0.9.8c
openssl openssl 0.9.8d
openssl openssl 0.9.8e
openssl openssl 0.9.8f
openssl openssl 0.9.8g
openssl openssl 0.9.8h
openssl openssl *
openssl openssl 0.9.8h
openssl openssl 0.9.8i
hp onboard administrator 3.21
hp onboard administrator 3.31
hp onboard administrator 3.32
redhat enterprise linux 4
redhat enterprise linux 4
redhat enterprise linux 4
redhat enterprise linux 4
redhat enterprise linux 5
redhat enterprise linux 5
redhat enterprise linux 5
hp procurve switch 2610 *
hp procurve switch 1600m -