CVE-2016-0800

Impact:
Important
Public Date:
2016-03-01
Bugzilla:
1310593: CVE-2016-0800 SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker could potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.

Find out more about CVE-2016-0800 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 5.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux Advanced Update Support 6.5 (openssl) RHSA-2016:0303 2016-03-01
Red Hat Enterprise Linux Advanced Update Support 6.2 (openssl) RHSA-2016:0303 2016-03-01
Red Hat Enterprise Linux Long Life (v. 5.9 server) (openssl) RHSA-2016:0304 2016-03-01
Red Hat Enterprise Linux Extended Lifecycle Support 4 (openssl) RHSA-2016:0306 2016-03-01
Red Hat Enterprise Linux Extended Update Support 6.6 (openssl) RHSA-2016:0305 2016-03-01
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2016:0490 2016-03-22
Red Hat Enterprise Linux Long Life (v. 5.6 server) (openssl) RHSA-2016:0304 2016-03-01
RHEV Hypervisor for RHEL-6 (rhev-hypervisor7) RHSA-2016:0379 2016-03-09
Red Hat JBoss Web Server 2.1 RHSA-2016:0445 2016-03-14
Red Hat Enterprise Linux 6 (openssl) RHSA-2016:0301 2016-03-01
Red Hat JBoss Operations Network 3.3 RHSA-2016:1519 2016-07-27
Managment Agent for RHEL 7 Hosts (rhev-hypervisor7) RHSA-2016:0379 2016-03-09
Red Hat JBoss Web Server 3.0 RHSA-2016:0446 2016-03-14
Red Hat Enterprise Linux Extended Update Support 7.1 (openssl) RHSA-2016:0305 2016-03-01
Red Hat Enterprise Linux Advanced Update Support 6.4 (openssl) RHSA-2016:0303 2016-03-01
Red Hat Enterprise Linux 7 (openssl) RHSA-2016:0301 2016-03-01
Red Hat Enterprise Linux 5 (openssl) RHSA-2016:0302 2016-03-01
Red Hat Enterprise Linux 7 (openssl098e) RHSA-2016:0372 2016-03-09
Red Hat Enterprise Linux 6 (openssl098e) RHSA-2016:0372 2016-03-09

Affected Packages State

Platform Package State
Red Hat JBoss EAP 5 openssl Not affected
Red Hat Enterprise Linux Extended Update Support 7.2 rhel-guest-image Affected
Red Hat Enterprise Linux Extended Update Support 6.7 guest-images Affected
Red Hat Enterprise Linux 7 nss Not affected
Red Hat Enterprise Linux 6 nss Not affected
Red Hat Enterprise Linux 5 openssl097a Will not fix
Red Hat Enterprise Linux 5 nss Not affected
RHEV-M for Servers rhev-hypervisor Affected

Acknowledgements

Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Nimrod Aviram and Sebastian Schinzel as the original reporters.

Mitigation

External References

Last Modified