CVE-2011-3389

CVSS V2 Medium 4.3 CVSS V3 None
Description
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Overview
  • CVE ID
  • CVE-2011-3389
  • Assigner
  • cve@mitre.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2011-09-06T19:55:03
  • Last Modified Date
  • 2022-11-29T15:56:08
Weakness Enumerations
CWE URL
CWE-20 http://cwe.mitre.org/data/definitions/20.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:a:google:chrome:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:internet_explorer:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:mozilla:firefox:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:opera:opera_browser:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:o:siemens:simatic_rf68xr_firmware:*:*:*:*:*:*:*:* 1 OR 3.2.1
cpe:2.3:h:siemens:simatic_rf68xr:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:o:siemens:simatic_rf615r_firmware:*:*:*:*:*:*:*:* 1 OR 3.2.1
cpe:2.3:h:siemens:simatic_rf615r:-:*:*:*:*:*:*:* 0 OR
AND
cpe:2.3:a:haxx:curl:*:*:*:*:*:*:*:* 1 OR 7.10.6 7.23.1
AND
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_eus:6.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:* 1 OR
AND
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:10.10:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:P/I:N/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 4.3
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8.6
  • Impact Score
  • 2.9
References
Reference URL Reference Tags
http://www.opera.com/docs/changelogs/unix/1151/
http://www.securityfocus.com/bid/49388
http://www.opera.com/docs/changelogs/windows/1151/
http://www.opera.com/docs/changelogs/mac/1151/
http://osvdb.org/74829
http://secunia.com/advisories/45791 Vendor Advisory
http://www.securitytracker.com/id?1025997
http://eprint.iacr.org/2004/111
https://bugzilla.redhat.com/show_bug.cgi?id=737506
http://ekoparty.org/2011/juliano-rizzo.php
http://www.imperialviolet.org/2011/09/23/chromeandbeast.html
https://bugzilla.novell.com/show_bug.cgi?id=719047
http://www.insecure.cl/Beast-SSL.rar Patch
http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
http://eprint.iacr.org/2006/136
http://isc.sans.edu/diary/SSL+TLS+part+3+/11635
http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue
http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/
http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx
http://technet.microsoft.com/security/advisory/2588513
http://support.apple.com/kb/HT4999
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
http://support.apple.com/kb/HT5001
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html
http://www.securitytracker.com/id?1026103
http://www.securityfocus.com/bid/49778
http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx
http://www.redhat.com/support/errata/RHSA-2011-1384.html Vendor Advisory
http://vnhacker.blogspot.com/2011/09/beast.html
http://www.kb.cert.org/vuls/id/864643 US Government Resource
http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html
http://www.ibm.com/developerworks/java/jdk/alerts/
http://www.opera.com/docs/changelogs/windows/1160/
http://www.opera.com/docs/changelogs/mac/1160/
http://www.opera.com/support/kb/view/1004/ Vendor Advisory
http://www.opera.com/docs/changelogs/unix/1160/
http://www.redhat.com/support/errata/RHSA-2012-0006.html
http://support.apple.com/kb/HT5130
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
http://marc.info/?l=bugtraq&m=132872385320240&w=2
http://support.apple.com/kb/HT5281
http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html
http://support.apple.com/kb/HT5501
http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
http://secunia.com/advisories/49198
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html
https://hermes.opensuse.org/messages/13155432
https://hermes.opensuse.org/messages/13154861
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html
http://marc.info/?l=bugtraq&m=132750579901589&w=2
http://secunia.com/advisories/48692
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail
http://secunia.com/advisories/48948
http://secunia.com/advisories/48915
http://www.us-cert.gov/cas/techalerts/TA12-010A.html US Government Resource
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
http://secunia.com/advisories/55351
http://secunia.com/advisories/55322
http://secunia.com/advisories/55350
http://www.securitytracker.com/id/1029190
http://rhn.redhat.com/errata/RHSA-2013-1455.html
http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html
http://www.ubuntu.com/usn/USN-1263-1
http://support.apple.com/kb/HT6150
http://security.gentoo.org/glsa/glsa-201406-32.xml
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
http://downloads.asterisk.org/pub/security/AST-2016-001.html
http://marc.info/?l=bugtraq&m=134254957702612&w=2
http://marc.info/?l=bugtraq&m=133365109612558&w=2
http://marc.info/?l=bugtraq&m=133728004526190&w=2
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752
http://marc.info/?l=bugtraq&m=134254866602253&w=2
http://www.mandriva.com/security/advisories?name=MDVSA-2012:058
http://rhn.redhat.com/errata/RHSA-2012-0508.html
http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html
http://security.gentoo.org/glsa/glsa-201203-02.xml
http://secunia.com/advisories/48256
http://www.securitytracker.com/id?1026704
http://secunia.com/advisories/47998
http://www.debian.org/security/2012/dsa-2398
http://curl.haxx.se/docs/adv_20120124B.html
https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2011-3389
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
History
Created Old Value New Value Data Type Notes
2022-05-10 15:53:15 Added to TrackCVE
2022-12-01 18:20:38 2022-11-29T15:56:08 CVE Modified Date updated
2022-12-01 18:20:38 Undergoing Analysis Analyzed Vulnerability Status updated