CVE-2016-0703

Impact:
Moderate
Public Date:
2016-03-01
Bugzilla:
1310811: CVE-2016-0703 openssl: Divide-and-conquer session key recovery in SSLv2
It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.

Find out more about CVE-2016-0703 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux Advanced Update Support 6.5 (openssl) RHSA-2016:0303 2016-03-01
Red Hat Enterprise Linux Advanced Update Support 6.2 (openssl) RHSA-2016:0303 2016-03-01
Red Hat Enterprise Linux Long Life (v. 5.9 server) (openssl) RHSA-2016:0304 2016-03-01
Red Hat Enterprise Linux Extended Lifecycle Support 4 (openssl) RHSA-2016:0306 2016-03-01
Red Hat Enterprise Linux 6 (openssl) RHSA-2015:0715 2015-03-23
Red Hat Enterprise Linux Long Life (v. 5.6 server) (openssl) RHSA-2016:0304 2016-03-01
Red Hat Storage Server 2.1 (openssl) RHSA-2015:0752 2015-03-30
Red Hat Enterprise Linux Advanced Update Support 6.4 (openssl) RHSA-2016:0303 2016-03-01
Red Hat Enterprise Linux 5 (openssl) RHSA-2015:0800 2015-04-13
Red Hat Enterprise Linux 7 (openssl) RHSA-2015:0716 2015-03-23
Red Hat Enterprise Linux 7 (openssl098e) RHSA-2016:0372 2016-03-09
Red Hat Enterprise Linux 6 (openssl098e) RHSA-2016:0372 2016-03-09

Affected Packages State

Platform Package State
Red Hat JBoss Web Server 3.0 openssl Under investigation
Red Hat JBoss EWS 2 openssl Under investigation
Red Hat JBoss EWS 1 openssl Under investigation
Red Hat JBoss EAP 6 openssl Under investigation
Red Hat Enterprise Linux 5 openssl097a Will not fix

Acknowledgements

Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges David Adrian (University of Michigan) and J. Alex Halderman (University of Michigan) as the original reporters.

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.