Vulnerability Details : CVE-2003-0078
ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."
Products affected by CVE-2003-0078
- cpe:2.3:o:freebsd:freebsd:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.2:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.3:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.4:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.5:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.6:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.7:*:*:*:*:*:*:*
- cpe:2.3:o:freebsd:freebsd:4.8:pre-release:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.1:*:*:*:*:*:*:*
- cpe:2.3:o:openbsd:openbsd:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2003-0078
1.95%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2003-0078
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
References for CVE-2003-0078
-
http://www.securityfocus.com/bid/6884
-
http://www.redhat.com/support/errata/RHSA-2003-062.html
Support
-
http://www.ciac.org/ciac/bulletins/n-051.shtml
-
http://www.debian.org/security/2003/dsa-253
Debian -- The Universal Operating SystemVendor Advisory
-
http://www.redhat.com/support/errata/RHSA-2003-205.html
Support
-
http://www.trustix.org/errata/2003/0005
Trustix | Empowering Trust and Security in the Digital Age
-
http://www.redhat.com/support/errata/RHSA-2003-063.html
Support
-
http://www.iss.net/security_center/static/11369.php
Vendor Advisory
-
http://marc.info/?l=bugtraq&m=104567627211904&w=2
'OpenSSL 0.9.7a and 0.9.6i released' - MARC
-
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc
-
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020
-
ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I
-
http://www.redhat.com/support/errata/RHSA-2003-104.html
Support
-
http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html
Stay Vigilant with Timely Linux Security Advisories
-
http://www.redhat.com/support/errata/RHSA-2003-082.html
Support
-
http://marc.info/?l=bugtraq&m=104577183206905&w=2
'GLSA: openssl (200302-10)' - MARC
-
http://www.openssl.org/news/secadv_20030219.txt
404 Page not found | LibraryPatch;Vendor Advisory
-
http://marc.info/?l=bugtraq&m=104568426824439&w=2
'[OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl)' - MARC
-
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570
CONECTIVA | AnĂ¡lises dos Melhores Produtos Online (#10 Melhores)
Jump to