Home > Vulnerability Database > CVE-2011-3389

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2011-3389

Date: September 6, 2011

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

Language: C

Severity Score

3.7

Related Resources (93)

Url: http://www.securitytracker.com/id?1026704

Url: http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html

Url: http://www.redhat.com/support/errata/RHSA-2012-0006.html

Url: http://secunia.com/advisories/55351

Url: https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_fetchmail

Url: http://secunia.com/advisories/49198

Url: http://secunia.com/advisories/55350

Url: https://access.redhat.com/security/cve/CVE-2011-3389

Url: http://www.opera.com/docs/changelogs/windows/1160/

Url: http://blogs.technet.com/b/srd/archive/2011/09/26/is-ssl-broken-more-about-security-advisory-2588513.aspx

Url: http://www.opera.com/docs/changelogs/unix/1151/

Url: http://www.ubuntu.com/usn/USN-1263-1

Url: http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html

Url: http://marc.info/?l=bugtraq&m=133728004526190&w=2

Url: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Url: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862

Url: http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2012:058

Url: http://lists.apple.com/archives/security-announce/2012/May/msg00001.html

Url: http://marc.info/?l=bugtraq&m=134254957702612&w=2

Url: http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html

Url: http://my.opera.com/securitygroup/blog/2011/09/28/the-beast-ssl-tls-issue

Url: http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html

Url: http://secunia.com/advisories/48256

Url: http://eprint.iacr.org/2004/111

Url: http://rhn.redhat.com/errata/RHSA-2012-0508.html

Url: https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf

Url: http://marc.info/?l=bugtraq&m=134254866602253&w=2

Url: http://secunia.com/advisories/55322

Url: http://support.apple.com/kb/HT6150

Url: http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html

Url: http://www.redhat.com/support/errata/RHSA-2011-1384.html

Url: http://secunia.com/advisories/48692

Url: http://rhn.redhat.com/errata/RHSA-2013-1455.html

Url: http://www.opera.com/docs/changelogs/unix/1160/

Url: http://marc.info/?l=bugtraq&m=133365109612558&w=2

Url: http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html

Url: http://www.imperialviolet.org/2011/09/23/chromeandbeast.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2011-3389

Url: http://support.apple.com/kb/HT5501

Url: http://isc.sans.edu/diary/SSL+TLS+part+3+/11635

Url: http://eprint.iacr.org/2006/136

Url: http://www.securitytracker.com/id?1025997

Url: http://secunia.com/advisories/47998

Url: http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html

Url: https://bugzilla.novell.com/show_bug.cgi?id=719047

Url: http://www.securityfocus.com/bid/49778

Url: https://hermes.opensuse.org/messages/13155432

Url: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Url: https://hermes.opensuse.org/messages/13154861

Url: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

Url: http://security.gentoo.org/glsa/glsa-201406-32.xml

Url: http://www.opera.com/docs/changelogs/mac/1160/

Url: http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html

Url: http://blogs.technet.com/b/msrc/archive/2011/09/26/microsoft-releases-security-advisory-2588513.aspx

Url: http://www.kb.cert.org/vuls/id/864643

Url: http://www.ibm.com/developerworks/java/jdk/alerts/

Url: http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Url: http://support.apple.com/kb/HT5130

Url: https://bugzilla.redhat.com/show_bug.cgi?id=737506

Url: https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02

Url: http://www.opera.com/support/kb/view/1004/

Url: http://www.insecure.cl/Beast-SSL.rar

Url: http://www.us-cert.gov/cas/techalerts/TA12-010A.html

Url: http://www.securitytracker.com/id/1029190

Url: http://secunia.com/advisories/48915

Url: http://technet.microsoft.com/security/advisory/2588513

Url: http://vnhacker.blogspot.com/2011/09/beast.html

Url: http://osvdb.org/74829

Url: http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

Url: http://ekoparty.org/2011/juliano-rizzo.php

Url: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006

Url: http://marc.info/?l=bugtraq&m=132872385320240&w=2

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752

Url: http://security.gentoo.org/glsa/glsa-201203-02.xml

Url: http://support.apple.com/kb/HT5281

Url: http://www.debian.org/security/2012/dsa-2398

Url: http://www.opera.com/docs/changelogs/mac/1151/

Url: http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/

Url: http://support.apple.com/kb/HT5001

Url: http://curl.haxx.se/docs/adv_20120124B.html

Url: http://www.opera.com/docs/changelogs/windows/1151/

Url: http://downloads.asterisk.org/pub/security/AST-2016-001.html

Url: http://support.apple.com/kb/HT4999

Url: https://security-tracker.debian.org/tracker/CVE-2011-3389

Url: http://secunia.com/advisories/48948

Url: http://secunia.com/advisories/45791

Url: http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html

Url: http://www.securitytracker.com/id?1026103

Url: http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf

Url: http://www.securityfocus.com/bid/49388

Url: http://marc.info/?l=bugtraq&m=132750579901589&w=2

Url: https://www.mend.io/vulnerability-database/CVE-2011-3389

Severity Score

3.7

Weakness Type (CWE)

Inadequate Encryption Strength

CWE-326

Input Validation

CWE-20

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

CWE-924

CVSS v3.1

Base Score:	3.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Do you need more information?

Contact Us