The Third Party Vulnerability Resolution Blog covers CVEs and patches in Systems product suite.

Sun Alert 101974 OpenSSL (see openssl(5)) May Allow an Agent to Force a Rollback to a Cryptographically Weak Protocol Version

Guest Author
Product: Solaris 10 Operating System

A vulnerability in the OpenSSL (see openssl(5)) toolkit may allow active protocol-version rollback attacks, where an attacker acting as a "man in the middle" can force a client and a server to negotiate the SSL 2.0 protocol even if these parties both support SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is known to have severe cryptographic weaknesses and is supported as a fallback only.

This issue is described in the following OpenSSL Advisory: http://www.openssl.org/news/secadv_20051011.txt

and referenced in CAN-2005-2969 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2969

Avoidance: Patch
State: Resolved
First released: 11-Oct-2005

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.