OpenSSL J-PAKE Validation Error Lets Remote Users Validate Without Shared Secret Key
|
|
SecurityTracker Alert ID: 1024823 |
|
SecurityTracker URL: http://securitytracker.com/id/1024823
|
|
CVE Reference:
CVE-2010-4252
(Links to External Site)
|
Date: Dec 3 2010
|
Impact:
Modification of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.0.0 to prior to 1.0.0c
|
Description:
A vulnerability was reported in OpenSSL. A remote user can validate without the shared secret key.
A remote user can exploit a flaw in the J-PAKE implementation to successfully validate without having the shared secret.
The experimental J-PAKE code is not compiled by default.
The original advisory is available at:
http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf
Sebastian Martini reported this vulnerability.
|
Impact:
A remote user can validate without the shared secret key.
|
Solution:
The vendor has issued a fix (1.0.0c).
The vendor's advisory is available at:
http://openssl.org/news/secadv_20101202.txt
|
Vendor URL: openssl.org/news/secadv_20101202.txt (Links to External Site)
|
Cause:
Authentication error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Fri, 03 Dec 2010 15:32:48 +0000
Subject: OpenSSL
|
http://openssl.org/news/secadv_20101202.txt
CVE-2010-4252
|
|
