{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2016-0703", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-05T22:30:03.398Z", "dateReserved": "2015-12-16T00:00:00", "datePublished": "2016-03-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-12-13T00:00:00"}, "descriptions": [{"lang": "en", "value": "The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"name": "83743", "tags": ["vdb-entry"], "url": "http://www.securityfocus.com/bid/83743"}, {"name": "openSUSE-SU-2016:0638", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"}, {"name": "FreeBSD-SA-16:12", "tags": ["vendor-advisory"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"}, {"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"name": "SUSE-SU-2016:0621", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"}, {"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"name": "SUSE-SU-2016:1057", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"}, {"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"}, {"url": "https://drownattack.com"}, {"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=ae50d8270026edf5b3c7f8aaa0c6677462b33d97"}, {"url": "http://openssl.org/news/secadv/20160301.txt"}, {"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016", "tags": ["vendor-advisory"], "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"}, {"name": "openSUSE-SU-2016:0720", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html"}, {"name": "SUSE-SU-2016:0624", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"}, {"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"}, {"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03741en_us"}, {"name": "SUSE-SU-2016:0631", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"}, {"url": "https://www.openssl.org/news/secadv/20160301.txt"}, {"name": "SUSE-SU-2016:0617", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"}, {"name": "GLSA-201603-15", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/201603-15"}, {"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"}, {"name": "openSUSE-SU-2016:0628", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"}, {"name": "1035133", "tags": ["vdb-entry"], "url": "http://www.securitytracker.com/id/1035133"}, {"name": "SUSE-SU-2016:0678", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html"}, {"name": "SUSE-SU-2016:0620", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"}, {"name": "openSUSE-SU-2016:0637", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"}, {"name": "SUSE-SU-2016:0641", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html"}, {"url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759"}, {"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1260-security-advisory-18"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "datePublic": "2016-03-01T00:00:00"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T22:30:03.398Z"}, "title": "CVE Program Container", "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", "tags": ["x_transferred"]}, {"name": "83743", "tags": ["vdb-entry", "x_transferred"], "url": "http://www.securityfocus.com/bid/83743"}, {"name": "openSUSE-SU-2016:0638", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"}, {"name": "FreeBSD-SA-16:12", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"}, {"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html", "tags": ["x_transferred"]}, {"name": "SUSE-SU-2016:0621", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"}, {"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "tags": ["x_transferred"]}, {"name": "SUSE-SU-2016:1057", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"}, {"url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168", "tags": ["x_transferred"]}, {"url": "https://drownattack.com", "tags": ["x_transferred"]}, {"url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=ae50d8270026edf5b3c7f8aaa0c6677462b33d97", "tags": ["x_transferred"]}, {"url": "http://openssl.org/news/secadv/20160301.txt", "tags": ["x_transferred"]}, {"name": "20160302 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: March 2016", "tags": ["vendor-advisory", "x_transferred"], "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"}, {"name": "openSUSE-SU-2016:0720", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html"}, {"name": "SUSE-SU-2016:0624", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"}, {"url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441", "tags": ["x_transferred"]}, {"url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03741en_us", "tags": ["x_transferred"]}, {"name": "SUSE-SU-2016:0631", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"}, {"url": "https://www.openssl.org/news/secadv/20160301.txt", "tags": ["x_transferred"]}, {"name": "SUSE-SU-2016:0617", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"}, {"name": "GLSA-201603-15", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/201603-15"}, {"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html", "tags": ["x_transferred"]}, {"name": "openSUSE-SU-2016:0628", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"}, {"name": "1035133", "tags": ["vdb-entry", "x_transferred"], "url": "http://www.securitytracker.com/id/1035133"}, {"name": "SUSE-SU-2016:0678", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html"}, {"name": "SUSE-SU-2016:0620", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"}, {"name": "openSUSE-SU-2016:0637", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"}, {"name": "SUSE-SU-2016:0641", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html"}, {"url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759", "tags": ["x_transferred"]}, {"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1260-security-advisory-18", "tags": ["x_transferred"]}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE2907ED-57AA-41E4-9AC6-055F138B9204", "versionEndIncluding": "0.9.8ze", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2FBD8C92-6138-4274-ACBA-D7D42DAEC5AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3A2075BD-6102-4B0F-839A-836E9585F43B", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "2A2FA09E-2BF7-4968-B62D-00DA57F81EA1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "F02E634E-1E3D-4E44-BADA-76F92483A732", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "FCC2B07A-49EF-411F-8A4D-89435E22B043", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "7E9480D6-3B6A-4C41-B8C1-C3F945040772", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*", "matchCriteriaId": "10FF0A06-DA61-4250-B083-67E55E362677", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*", "matchCriteriaId": "8A6BA453-C150-4159-B80B-5465EFF83F11", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*", "matchCriteriaId": "638A2E69-8AB6-4FEA-852A-FEF16A500C1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*", "matchCriteriaId": "56C47D3A-B99D-401D-B6B8-1194B2DB4809", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*", "matchCriteriaId": "08355B10-E004-4BE6-A5AE-4D428810580B", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*", "matchCriteriaId": "738BCFDC-1C49-4774-95AE-E099F707DEF9", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*", "matchCriteriaId": "D4B242C0-D27D-4644-AD19-5ACB853C9DC2", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*", "matchCriteriaId": "8DC683F2-4346-4E5E-A8D7-67B4F4D7827B", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*", "matchCriteriaId": "764B7D38-BC1B-47DB-B1DF-D092BDA4BFCB", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*", "matchCriteriaId": "6604E7BE-9F9B-444D-A63A-F65D1CFDF3BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*", "matchCriteriaId": "132B9217-B0E0-4E3E-9096-162AA28E158E", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*", "matchCriteriaId": "7619F9A0-9054-4217-93D1-3EA64876C5B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0m:*:*:*:*:*:*:*", "matchCriteriaId": "6D82C405-17E2-4DF1-8DF5-315BD5A41595", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0n:*:*:*:*:*:*:*", "matchCriteriaId": "4C96806F-4718-4BD3-9102-55A26AA86498", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0o:*:*:*:*:*:*:*", "matchCriteriaId": "8A16CD99-AF7F-4931-AD2E-77727BA18FBD", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0p:*:*:*:*:*:*:*", "matchCriteriaId": "88440697-754A-47A7-BF83-4D0EB68FFB10", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.0q:*:*:*:*:*:*:*", "matchCriteriaId": "AD51F0FC-F426-4AE5-B3B9-B813C580EBAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "2D1C00C0-C77E-4255-9ECA-20F2673C7366", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*", "matchCriteriaId": "21F16D65-8A46-4AC7-8970-73AB700035FB", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*", "matchCriteriaId": "92F393FF-7E6F-4671-BFBF-060162E12659", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*", "matchCriteriaId": "E1B85A09-CF8D-409D-966E-168F9959F6F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*", "matchCriteriaId": "3A66E6CF-39CF-412E-8EF0-8E10BA21B4A4", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*", "matchCriteriaId": "C684FB18-FDDC-4BED-A28C-C23EE6CD0094", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*", "matchCriteriaId": "A74A79A7-4FAF-4C81-8622-050008B96AE1", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*", "matchCriteriaId": "CEDACCB9-8D61-49EE-9957-9E58BC7BB031", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*", "matchCriteriaId": "4993DD56-F9E3-4AC8-AC3E-BF204B950DEC", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*", "matchCriteriaId": "E884B241-F9C3-44F8-A420-DE65F5F3D660", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*", "matchCriteriaId": "3A383620-B4F7-44A7-85DA-A4FF2E115D80", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*", "matchCriteriaId": "5F0C6812-F455-49CF-B29B-9AC00306DA43", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*", "matchCriteriaId": "3F2D462C-A1B4-4572-A615-BDE9DC5F1E55", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*", "matchCriteriaId": "3703E445-17C0-4C85-A496-A35641C0C8DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*", "matchCriteriaId": "2F4034B9-EF1C-40E6-B92A-D4D7B7E7E774", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*", "matchCriteriaId": "ABEC1927-F469-4B9E-B544-DA6CF90F0B34", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "AD3E5C1B-EC63-4214-A0BD-0B8681CE6C8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*", "matchCriteriaId": "18797BEE-417D-4959-9AAD-C5A7C051B524", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*", "matchCriteriaId": "6FAA3C31-BD9D-45A9-A502-837FECA6D479", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*", "matchCriteriaId": "6455A421-9956-4846-AC7C-3431E0D37D23", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800."}, {"lang": "es", "value": "La funci\u00f3n get_client_master_key en s2_srvr.c en la implementaci\u00f3n de SSLv2 en OpenSSL en versiones anteriores a 0.9.8zf, 1.0.0 en versiones anteriores a 1.0.0r, 1.0.1 en versiones anteriores a 1.0.1m y 1.0.2 en versiones anteriores a 1.0.2a acepta un valor CLIENT-MASTER-KEY CLEAR-KEY-LENGTH distinto de cero para un cifrado arbitrario, lo que permite a atacantes man-in-the-middle determinar el valor MASTER-KEY y descifrar datos de texto cifrados con TLS aprovech\u00e1ndose de un Bleichenbacher RSA padding oracle, un caso relacionado con CVE-2016-0800."}], "id": "CVE-2016-0703", "lastModified": "2023-11-07T02:29:17.190", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-03-02T11:59:00.113", "references": [{"source": "secalert@redhat.com", "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://openssl.org/news/secadv/20160301.txt"}, {"source": "secalert@redhat.com", "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html"}, {"source": "secalert@redhat.com", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/83743"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1035133"}, {"source": "secalert@redhat.com", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf"}, {"source": "secalert@redhat.com", "url": "https://drownattack.com"}, {"source": "secalert@redhat.com", "url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=ae50d8270026edf5b3c7f8aaa0c6677462b33d97"}, {"source": "secalert@redhat.com", "url": "https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03741en_us"}, {"source": "secalert@redhat.com", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441"}, {"source": "secalert@redhat.com", "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168"}, {"source": "secalert@redhat.com", "url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/201603-15"}, {"source": "secalert@redhat.com", "url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1260-security-advisory-18"}, {"source": "secalert@redhat.com", "url": "https://www.openssl.org/news/secadv/20160301.txt"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges David Adrian (University of Michigan) and J. Alex Halderman (University of Michigan) as the original reporters.", "affected_release": [{"advisory": "RHSA-2016:0306", "cpe": "cpe:/o:redhat:rhel_els:4", "package": "openssl-0:0.9.7a-43.23.el4", "product_name": "Red Hat Enterprise Linux 4 Extended Lifecycle Support", "release_date": "2016-03-01T00:00:00Z"}, {"advisory": "RHSA-2015:0800", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "openssl-0:0.9.8e-33.el5_11", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2015-04-13T00:00:00Z"}, {"advisory": "RHSA-2016:0304", "cpe": "cpe:/o:redhat:rhel_mission_critical:5.6", "package": "openssl-0:0.9.8e-12.el5_6.13", "product_name": "Red Hat Enterprise Linux 5.6 Long Life", "release_date": "2016-03-01T00:00:00Z"}, {"advisory": "RHSA-2016:0304", "cpe": "cpe:/o:redhat:rhel_aus:5.9", "package": "openssl-0:0.9.8e-26.el5_9.5", "product_name": "Red Hat Enterprise Linux 5.9 Long Life", "release_date": "2016-03-01T00:00:00Z"}, {"advisory": "RHSA-2015:0715", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "openssl-0:1.0.1e-30.el6_6.7", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2015-03-23T00:00:00Z"}, {"advisory": "RHSA-2016:0372", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "openssl098e-0:0.9.8e-20.el6_7.1", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2016-03-09T00:00:00Z"}, {"advisory": "RHSA-2016:0303", "cpe": "cpe:/o:redhat:rhel_mission_critical:6.2", "package": "openssl-0:1.0.0-20.el6_2.8", "product_name": "Red Hat Enterprise Linux 6.2 Advanced Update Support", "release_date": "2016-03-01T00:00:00Z"}, {"advisory": "RHSA-2016:0303", "cpe": "cpe:/o:redhat:rhel_aus:6.4", "package": "openssl-0:1.0.0-27.el6_4.5", "product_name": "Red Hat Enterprise Linux 6.4 Advanced Update Support", "release_date": "2016-03-01T00:00:00Z"}, {"advisory": "RHSA-2016:0303", "cpe": "cpe:/o:redhat:rhel_aus:6.5", "package": "openssl-0:1.0.1e-16.el6_5.16", "product_name": "Red Hat Enterprise Linux 6.5 Advanced Update Support", "release_date": "2016-03-01T00:00:00Z"}, {"advisory": "RHSA-2015:0716", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "openssl-1:1.0.1e-42.el7_1.4", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-03-23T00:00:00Z"}, {"advisory": "RHSA-2016:0372", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "openssl098e-0:0.9.8e-29.el7_2.3", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2016-03-09T00:00:00Z"}, {"advisory": "RHSA-2015:0752", "cpe": "cpe:/a:redhat:storage:2.1:server:el6", "package": "openssl-0:1.0.1e-30.el6_6.7", "product_name": "Red Hat Storage 2.1", "release_date": "2015-03-30T00:00:00Z"}], "bugzilla": {"description": "openssl: Divide-and-conquer session key recovery in SSLv2", "id": "1310811", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1310811"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "details": ["The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.", "It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle."], "name": "CVE-2016-0703", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "openssl097a", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Under investigation", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Under investigation", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Under investigation", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Under investigation", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 3"}], "public_date": "2016-03-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-0703\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-0703\nhttps://www.openssl.org/news/secadv/20160301.txt"], "threat_severity": "Moderate", "upstream_fix": "openssl 1.0.2a, openssl 1.0.1m, openssl 1.0.0r, openssl 0.9.8zf"}