Vulnerability CVE-2011-1473

Vulnerability Name:

CVE-2011-1473 (CCN-71068)

Assigned:

2011-10-24

Published:

2011-10-24

Updated:

2021-04-20

Summary:

** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094.
Note: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
4.1 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Denial of Service

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:openssl:openssl:0.9.8r:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8s:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8m:beta1:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8n:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8v:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8w:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8o:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8p:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8x:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8u:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8t:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.8m:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:openssl:openssl:*:*:*:*:*:*:*:* (Version <= 0.9.8k)

Configuration CCN 1:

cpe:/a:ibm:security_virtual_server_protection:1.1.0.1:*:*:*:*:vmware:*:*

OR cpe:/a:ibm:cloud_pak_for_automation:19.0.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20111473	V	CVE-2011-1473	2022-05-20
oval:org.opensuse.security:def:32209	P	Security update for postgresql10 (Important)	2021-10-20
oval:org.opensuse.security:def:26137	P	Security update for sqlite3 (Important)	2021-09-23
oval:org.opensuse.security:def:32133	P	Security update for libgcrypt (Important)	2021-06-24
oval:org.opensuse.security:def:32122	P	Security update for apache2 (Important)	2021-06-17
oval:org.opensuse.security:def:32949	P	Security update for webkit2gtk3 (Important)	2021-06-17
oval:org.opensuse.security:def:32121	P	Security update for webkit2gtk3 (Important)	2021-06-17
oval:org.opensuse.security:def:26073	P	Security update for libjpeg-turbo (Moderate)	2021-06-11
oval:org.opensuse.security:def:36512	P	lighttpd-1.4.20-2.54.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:26062	P	Security update for djvulibre (Important)	2021-05-31
oval:org.opensuse.security:def:32905	P	Security update for curl (Moderate)	2021-04-28
oval:org.opensuse.security:def:26061	P	Security update for dovecot22 (Important)	2021-01-04
oval:org.opensuse.security:def:33626	P	Security update for xen (Moderate)	2020-12-22
oval:org.opensuse.security:def:28856	P	Security update for python3 (Important)	2020-12-02
oval:org.opensuse.security:def:32437	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:28189	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:27475	P	libpulse-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32882	P	hyper-v on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28751	P	Security update for libmspack	2020-12-01
oval:org.opensuse.security:def:26487	P	Security update for redis (Moderate)	2020-12-01
oval:org.opensuse.security:def:32343	P	Security update for spice (Important)	2020-12-01
oval:org.opensuse.security:def:29574	P	Security update for Apache2	2020-12-01
oval:org.opensuse.security:def:28123	P	Security update for gtk2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26837	P	vte on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32843	P	curl on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28697	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:26403	P	Security update for ffmpeg (Moderate)	2020-12-01
oval:org.opensuse.security:def:29538	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:28112	P	Security update for glibc (Important)	2020-12-01
oval:org.opensuse.security:def:26793	P	openswan on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32794	P	systemtap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28545	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:26346	P	Security update for irssi (Moderate)	2020-12-01
oval:org.opensuse.security:def:28900	P	Security update for flash-player (Critical)	2020-12-01
oval:org.opensuse.security:def:28111	P	Security update for glibc (Moderate)	2020-12-01
oval:org.opensuse.security:def:26779	P	logwatch on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32737	P	libvorbis on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28461	P	Security update for xorg-x11-libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:26265	P	Security update for guile (Low)	2020-12-01
oval:org.opensuse.security:def:33587	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:26740	P	libarchive2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32581	P	mutt on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28404	P	Security update for spice (Important)	2020-12-01
oval:org.opensuse.security:def:28839	P	Security update for tiff (Moderate)	2020-12-01
oval:org.opensuse.security:def:26691	P	enscript on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:32494	P	cifs-mount on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28319	P	Security update for openwsman (Important)	2020-12-01
oval:org.opensuse.security:def:27510	P	lighttpd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28800	P	Security update for openssh (Important)	2020-12-01
oval:org.opensuse.security:def:26638	P	squid on GA media (Moderate)	2020-12-01
oval:org.mitre.oval:def:26047	P	SUSE-SU-2013:0469-1 -- Security update for apache2	2014-09-08
oval:org.mitre.oval:def:25037	V	Vulnerability in OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols	2014-08-04
oval:com.ubuntu.precise:def:20111473000	V	CVE-2011-1473 on Ubuntu 12.04 LTS (precise) - low.	2012-06-16

BACK