Products & Services

Home

Home Networking

Home Networking

Wireless for everyone:
Get connected now

umi telepresence

umi telepresence

The new way to
be together.

Flip Video

Flip Video

Meet the Flip family:
Life now has a play button

More for Home

 Support How to Buy

For Home

Cisco Home Products Store
Products for everyone

Flip Video Store
Meet the Flip Family:
Life now has a play button

For Business

All Ordering Options

 Training & Events Partners

Find a Partner

Cisco Partners help you find the right solution for your Business

Become a Partner

Enhance your company's value-add, expertise and opportunities

Small Business Partners

Log in to get sales resources.

Already a Partner?

Log in for resources.

Register as a New User

Visit Partner Central or My Cisco Workspace
Guest

Security Issue Alert

OpenSSL Datagram Transport Layer Security Plaintext Recovery Issue

 
Threat Type:IntelliShield: Security Issue Alert
IntelliShield ID:24893
Version:16
First Published:2012 January 06 14:37 GMT
Last Published:2012 December 21 20:47 GMT
Port: Not Available
CVE:CVE-2011-4108
BugTraq ID:51281
Urgency: Unlikely Use
Credibility: Confirmed
Severity: Mild Damage
 
Version Summary:VMware has re-released a security advisory and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.
 
 
Description
OpenSSL versions prior to 0.9.8s and versions prior to 1.0.0f contain an issue that could result in easier recovery of plaintext information from encrypted text.

The issue exists because of an incorrect implementation of the Datagram Transport Layer Security (DTLS) protocol by the affected software. The affected versions of OpenSSL fail to verify the message authentication code (MAC) on packets that have been incorrectly cryptographically padded. The error could result in different timing in decrypting packets with valid and invalid padding information, allowing the attacker to guess certain plaintext information.

OpenSSL has confirmed this issue and released additional software updates. Previous updates introduced a regression error documented in IntelliShield Alert 24974.
 
Patches/Software
OpenSSL has released security advisories at the following links: DTLS Plaintext Recovery Attack and DTLS DoS Attack

OpenSSL has released updated software at the following links:
OpenSSL version 0.9.8t
OpenSSL version 1.0.0g
CentOS packages can be updated using the up2date or yum command.

FreeBSD has released a VuXML document at the following link: openssl -- multiple vulnerabilities

FreeBSD releases ports collection updates at the following link: Ports Collection Index

HP has released security bulletins c03141193, c03383940, and c03360041 at the following links: HPSBUX02734 SSRT100729, HPSBOV02793 SSRT100891, and HPSBMU02786 SSRT100877

HP has released updated software at the following links:
OpenSSL A.00.09.08s for HP-UX
HP has released updated software at the following links:
IBM has released a security advisory at the following link: CVE-2011-4108

IBM has released a fix for registered users at the following link: AIX

MontaVista Software has released a security alert for registered users on October 11, 2012, at the following link: MontaVista Security Fixes

MontaVista Software has released updated software at the following links:
CGE 5.1
Mobilinux 5.0
Pro 5.0.24
Pro 5.0
Mobilinux 5.0.24
CGE 6.0

Oracle has released a security advisory at the following link: Multiple vulnerabilities in OpenSSL

Oracle has released updated software at the following link: 11/11 SRU 4a

Red Hat has released an official CVE statement and a security advisory for bug 771770 at the following links: CVE-2011-4108RHSA-2012:0059, RHSA-2012:0060, RHSA-2012:1306, RHSA-2012:1307, and RHSA-2012:1308.

Red Hat has released updated software for registered subscribers at the following link: Red Hat Network

Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

Red Hat has released security updates for registered users at the following links:

JBoss Enterprise Web Server 1.0.2
JBoss Enterprise Application Platform 5.1.2
JBoss Enterprise Application Platform 6.0.0

VMware has released a security advisory at the following link: VMSA-2012-0013

VMware has released updated software at the following links:
ESX 4.1
ESX410-201208101-SG

ESXi 4.1
ESXi410-201208101-SG

ESXi 5.0
ESXi-5.0.0-20121201001
 
Impact
The issue could allow plaintext recovery of information encoded in an arbitrary block of ciphertext, leading to disclosure of sensitive information. If successful, the attacker could launch further attacks.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to monitor affected systems.
 
Alert History
 

Version 15, October 15, 2012, 7:11 AM: MontaVista Software has re-released a security alert and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 14, September 25, 2012, 4:29 PM: Red Hat has released additional security advisories and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 13, September 5, 2012, 2:53 PM: VMware has released a security advisory and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 12, August 28, 2012, 1:37 PM: MontaVista Software has released a security alert and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 11, June 29, 2012, 9:00 AM: HP has released an additional security bulletin and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 10, June 25, 2012, 5:11 PM: HP has released an additional security bulletin and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 9, April 5, 2012, 11:03 AM: Oracle has released a security advisory and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 8, March 23, 2012, 3:48 PM: IBM has released a security advisory and fixes to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 7, January 31, 2012, 9:59 AM: CentOS has released updated packages to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 6, January 25, 2012, 12:13 PM: Red Hat has released security advisories and updated packages to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue. CentOS has also released updated packages to address this issue.

Version 5, January 20, 2012, 4:27 PM: OpenSSL has released a security bulletin and updated software to address the regression error introduced as a result of a fix to the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 4, January 20, 2012, 1:27 PM: HP has released a security bulletin and updated software to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 3, January 17, 2012, 6:17 PM: FreeBSD has released a VuXML document and updated ports collection to address the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 2, January 11, 2012, 6:21 PM: Cisco has discovered a potential issue in the patch for the OpenSSL Datagram Transport Layer Security plaintext recovery issue.

Version 1, January 6, 2012, 9:37 AM: OpenSSL contains an issue that could allow an unauthenticated, remote attacker to obtain sensitive information from a targeted system. Updates are available.

Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
OpenSSLopenssl0.9.8 Base | 0.9.8a Base | 0.9.8b Base | 0.9.8c Base | 0.9.8d Base | 0.9.8e Base | 0.9.8f Base | 0.9.8g Base | 0.9.8h Base | 0.9.8i Base | 0.9.8j Base | 0.9.8k Base | 0.9.8l Base | 0.9.8m Base | 0.9.8n Base | 0.9.8o Base | 0.9.8p Base | 0.9.8q Base | 0.9.8r Base | 0.9.8s Base | 1.0.0 Base | 1.0.0a Base | 1.0.0b Base | 1.0.0c Base | 1.0.0d Base | 1.0.0e Base

Associated Products:
CentOS ProjectCentOS5 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64 | 6 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64
FreeBSD ProjectFreeBSD6.3 Base | 6.4 Base | 7.0 Base | 7.1 Base | 7.2 Base | 7.3 Base | 7.4 Base | 8.0 Base | 8.1 Base | 8.2 Base | 9.0 Base
HPHP SSL for OpenVMS1.4 Base
HPHP-UX11.11/11i Base | 11.23 Base | 11.31 Base
HPSystem Management Homepage (SMH)6.0.0 Base | 6.1 Base | 6.2 Base | 7.0 Base | 7.1 Base
IBMAIX5.3 .10, .11, .12, .7.0, .7.1, .8, .9, Base | 6.1 .0, .1, .2, .3, .4, .5, .6, .7 | 7.1 .0, .1
MontaVistaMontaVista LinuxCGE 5.1, 6.0 | Mobilinux 5.0, 5.0.24 | Professional 5.0, 5.0.24
Oracle CorporationSolaris Express11 2010.11
Red Hat, Inc.JBoss Enterprise Application Platform5.1.2 Base | 6.0.0 Base
Red Hat, Inc.JBoss Enterprise Web Server1.0 .2
Red Hat, Inc.Red Hat Enterprise Linux5 IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop5 IA-32, x86_64 | 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Workstation5 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux HPC Node6 x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server6 IA-32, PPC, PPC 64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server AUS6.2 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server EUS6.2.z IA-32, PPC64, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation6 IA-32, x86_64
VMware, Inc.VMware ESXi3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base | 4.1 Base | 5.0 Base
VMware, Inc.VMware ESX Server3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base | 4.1 Base



Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service. To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield

Related Links

Solutions

Products & Services


Feedback

Which alert section is most useful?

  • Affected Products/Versions
  • Patches/Software Updates
  • Description
  • Safeguards
  • Technical Information/Analysis

Do you use the CVSS scoring provided in alerts? Why?

What additional information should IntelliShield alerts include?