Vulnerability CVE-2015-3455

Vulnerability Name:

CVE-2015-3455 (CCN-102789)

Assigned:

2015-05-01

Published:

2015-05-01

Updated:

2019-12-27

Summary:

Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
4.3 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-20
CWE-697
CWE-297
CWE-297

Vulnerability Consequences:

Bypass Security

References:

Source: CONFIRM
Type: Third Party Advisory
http://advisories.mageia.org/MGASA-2015-0191.html

Source: MITRE
Type: CNA
CVE-2015-3455

Source: FEDORA
Type: Third Party Advisory
FEDORA-2016-7b40eb9e29

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2015:1546

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2016:2081

Source: REDHAT
Type: UNKNOWN
RHSA-2015:2378

Source: MANDRIVA
Type: Broken Link
MDVSA-2015:230

Source: CONFIRM
Type: Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html

Source: CONFIRM
Type: Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

Source: BID
Type: UNKNOWN
74438

Source: CCN
Type: BID-74438
SQUID CVE-2015-3455 SSL Certificate Validation Security Bypass Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1032221

Source: CCN
Type: Squid Proxy Cache Security Update Advisory SQUID-2015:1
Incorrect X509 server certificate validation

Source: CONFIRM
Type: Vendor Advisory
http://www.squid-cache.org/Advisories/SQUID-2015_1.txt

Source: XF
Type: UNKNOWN
squid-cve20153455-sec-bypass(102789)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-3455

Vulnerable Configuration:

Configuration 1:

cpe:/o:oracle:linux:7:*:*:*:*:*:*:*

OR cpe:/o:oracle:solaris:11.2:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:squid-cache:squid:3.2.0.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.13:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.14:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.15:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.16:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.17:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.18:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.0.19:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2.13:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.0:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.3.13:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.0.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.6:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.7:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.8:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.9:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.10:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.11:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4.12:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.5.0.2:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.5.0.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.5.0.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.5.1:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.5.2:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:22:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:squid-cache:squid:3.3:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.4:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.5:*:*:*:*:*:*:*

OR cpe:/a:squid-cache:squid:3.2:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:42415	P	Security update for systemd-presets-common-SUSE (Moderate) (in QA)	2022-07-13
oval:org.opensuse.security:def:20153455	V	CVE-2015-3455	2022-05-20
oval:org.opensuse.security:def:55280	P	Security update for mozilla-nss (Important)	2021-12-06
oval:org.opensuse.security:def:56103	P	Security update for openssh (Important)	2021-12-06
oval:org.opensuse.security:def:55258	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:55937	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:20292	P	Security update for the Linux Kernel (Live Patch 16 for SLE 12 SP4) (Important)	2021-08-17
oval:org.opensuse.security:def:20266	P	Security update for the Linux Kernel (Live Patch 19 for SLE 12 SP4) (Important)	2021-06-18
oval:org.opensuse.security:def:19604	P	Security update for the Linux Kernel (Important)	2021-05-13
oval:org.opensuse.security:def:41652	P	Security update for openssl (Moderate)	2021-03-19
oval:org.opensuse.security:def:55257	P	Security update for python3 (Important)	2021-02-08
oval:org.opensuse.security:def:55831	P	Security update for postgresql, postgresql12, postgresql13 (Important)	2021-01-26
oval:org.opensuse.security:def:42460	P	vte-0.22.5-0.2.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:19351	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:55420	P	xorg-x11-libs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:40825	P	Security update for qemu (Important)	2020-12-01
oval:org.opensuse.security:def:41726	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:56496	P	Security update for binutils (Moderate)	2020-12-01
oval:org.opensuse.security:def:41360	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:19317	P	Security update for openldap2 (Important)	2020-12-01
oval:org.opensuse.security:def:56781	P	Security update for webkit2gtk3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:19130	P	Security update for libvirt (Important)	2020-12-01
oval:org.opensuse.security:def:41697	P	Security update for dnsmasq (Moderate)	2020-12-01
oval:org.opensuse.security:def:56388	P	Security update for ucode-intel (Important)	2020-12-01
oval:org.opensuse.security:def:41258	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:19259	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:56700	P	Security update for puppet (Moderate)	2020-12-01
oval:org.opensuse.security:def:41189	P	Security update for ovmf (Moderate)	2020-12-01
oval:org.opensuse.security:def:19173	P	Security update for pcp (Important)	2020-12-01
oval:org.opensuse.security:def:40824	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:56662	P	Security update for postgresql10 (Moderate)	2020-12-01
oval:org.opensuse.security:def:19534	P	Security update for patch (Moderate)	2020-12-01
oval:org.opensuse.security:def:41080	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:19138	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:19628	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:56588	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:19501	P	Security update for libarchive (Moderate)	2020-12-01
oval:org.opensuse.security:def:40928	P	Security update for compat-openssl098 (Moderate)	2020-12-01
oval:org.opensuse.security:def:41600	P	Security update for openldap2 (Important)	2020-12-01
oval:org.opensuse.security:def:19389	P	Security update for spice-gtk (Moderate)	2020-12-01
oval:org.opensuse.security:def:55658	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:40836	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:41777	P	Security update for strongswan (Moderate)	2020-12-01
oval:org.opensuse.security:def:19592	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:41536	P	Security update for openldap2 (Important)	2020-12-01
oval:com.redhat.rhsa:def:20152378	P	RHSA-2015:2378: squid security and bug fix update (Moderate)	2015-11-19
oval:com.ubuntu.precise:def:20153455000	V	CVE-2015-3455 on Ubuntu 12.04 LTS (precise) - negligible.	2015-05-18
oval:com.ubuntu.trusty:def:20153455000	V	CVE-2015-3455 on Ubuntu 14.04 LTS (trusty) - negligible.	2015-05-18

BACK