CVE-2011-4576

EUVD-2011-4502
The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 77%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
𝑥
≤ 0.9.8r
opensslopenssl
0.9.1c:c
opensslopenssl
0.9.2b:b
opensslopenssl
0.9.4
opensslopenssl
0.9.5
opensslopenssl
0.9.5a:a
opensslopenssl
0.9.6
opensslopenssl
0.9.6a:a
opensslopenssl
0.9.6b:b
opensslopenssl
0.9.6c:c
opensslopenssl
0.9.6d:d
opensslopenssl
0.9.6e:e
opensslopenssl
0.9.6f:f
opensslopenssl
0.9.6g:g
opensslopenssl
0.9.6h:h
opensslopenssl
0.9.6h:h
opensslopenssl
0.9.6i:i
opensslopenssl
0.9.6j:j
opensslopenssl
0.9.6k:k
opensslopenssl
0.9.6l:l
opensslopenssl
0.9.6m:m
opensslopenssl
0.9.7
opensslopenssl
0.9.7a:a
opensslopenssl
0.9.7b:b
opensslopenssl
0.9.7c:c
opensslopenssl
0.9.7d:d
opensslopenssl
0.9.7e:e
opensslopenssl
0.9.7f:f
opensslopenssl
0.9.7g:g
opensslopenssl
0.9.7h:h
opensslopenssl
0.9.7i:i
opensslopenssl
0.9.7j:j
opensslopenssl
0.9.7k:k
opensslopenssl
0.9.7l:l
opensslopenssl
0.9.7m:m
opensslopenssl
0.9.8
opensslopenssl
0.9.8a:a
opensslopenssl
0.9.8b:b
opensslopenssl
0.9.8c:c
opensslopenssl
0.9.8d:d
opensslopenssl
0.9.8e:e
opensslopenssl
0.9.8f:f
opensslopenssl
0.9.8g:g
opensslopenssl
0.9.8h:h
opensslopenssl
0.9.8i:i
opensslopenssl
0.9.8j:j
opensslopenssl
0.9.8k:k
opensslopenssl
0.9.8l:l
opensslopenssl
0.9.8m:m
opensslopenssl
0.9.8n:n
opensslopenssl
0.9.8o:o
opensslopenssl
0.9.8p:p
opensslopenssl
0.9.8q:q
opensslopenssl
𝑥
≤ 1.0.0e
opensslopenssl
1.0.0
opensslopenssl
1.0.0:beta1
opensslopenssl
1.0.0:beta2
opensslopenssl
1.0.0:beta3
opensslopenssl
1.0.0:beta4
opensslopenssl
1.0.0:beta5
opensslopenssl
1.0.0a:a
opensslopenssl
1.0.0b:b
opensslopenssl
1.0.0c:c
opensslopenssl
1.0.0d:d
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
sid
3.3.2-2
fixed
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
hardy
Fixed 0.9.8g-4ubuntu3.15
released
lucid
Fixed 0.9.8k-7ubuntu8.8
released
maverick
Fixed 0.9.8o-1ubuntu4.6
released
natty
Fixed 0.9.8o-5ubuntu1.2
released
oneiric
Fixed 1.0.0e-2ubuntu4.2
released
openssl098
hardy
dne
lucid
dne
maverick
dne
natty
dne
oneiric
Fixed 0.9.8o-7ubuntu1.2
released
Common Weakness Enumeration
References
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.html
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.html
http://marc.info/?l=bugtraq&m=132750648501816&w=2
http://marc.info/?l=bugtraq&m=133951357207000&w=2
http://marc.info/?l=bugtraq&m=134039053214295&w=2
http://rhn.redhat.com/errata/RHSA-2012-1306.html
http://rhn.redhat.com/errata/RHSA-2012-1307.html
http://rhn.redhat.com/errata/RHSA-2012-1308.html
http://secunia.com/advisories/48528
http://secunia.com/advisories/55069
http://secunia.com/advisories/57353
http://support.apple.com/kb/HT5784
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
http://www.debian.org/security/2012/dsa-2390
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2012:006
http://www.mandriva.com/security/advisories?name=MDVSA-2012:007
http://www.openssl.org/news/secadv_20120104.txt
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.html
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.html
http://marc.info/?l=bugtraq&m=132750648501816&w=2
http://marc.info/?l=bugtraq&m=133951357207000&w=2
http://marc.info/?l=bugtraq&m=134039053214295&w=2
http://rhn.redhat.com/errata/RHSA-2012-1306.html
http://rhn.redhat.com/errata/RHSA-2012-1307.html
http://rhn.redhat.com/errata/RHSA-2012-1308.html
http://secunia.com/advisories/48528
http://secunia.com/advisories/55069
http://secunia.com/advisories/57353
http://support.apple.com/kb/HT5784
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
http://www.debian.org/security/2012/dsa-2390
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2012:006
http://www.mandriva.com/security/advisories?name=MDVSA-2012:007
http://www.openssl.org/news/secadv_20120104.txt