CERT/CC Vulnerability Note VU#888801

Overview

SSL/TLS implementations that respond distinctively to an incorrect PKCS #1 v1.5 encoded SSL/TLS version number expose the premaster secret to a modified Bleichenbacher attack. An attacker could decrypt a given SSL/TLS session or forge a signature on behalf of a vulnerable application's private RSA key.

Description

Vlastimil Klíma, Ondᖞj Pokorný, and Tomáš Rosa have published a research paper describing a modified Bleichenbacher attack against RSA-based SSL/TLS applications. As in Bleichenbacher, the new attack uses side channel information from error messages and seeks to discover the premaster secret that is used as a basis for SSL/TLS session keys.

The Bleichenbacher attack (CA-1998-07) is computationally feasible against RSA-based applications that use Public-Key Cryptography Standard (PKCS) #1 v1.5 and return distinctive errors when the premaster secret in the Client hello message is not properly formatted. By sending a large number of chosen ciphertexts (premaster secrets) and monitoring the applications' responses, an attacker can discover the correct premaster secret for a given SSL/TLS session. With the premaster secret for a previously captured SSL/TLS session, the attacker can generate the correct master secret and session keys and decrypt the captured session. For more information about the Bleichenbacher attack, see Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, RSA Laboratories Bulletin Number 7, and CERT Advisory CA-1998-07.

A widely accepted defense against the Bleichenbacher attack is for an RSA/PKCS #1 application to discard a malformed premaster secret, replace it with a random value, and proceed to generate a master secret and session keys. Since the client and server use different values for the premaster secret, they will generate different session keys, and the SSL/TLS session will fail. Note that the server must not provide a response that is distinguishable based on syntax (i.e. "Bad PKCS #1 format") or time (i.e. sending an error message immediately after discovering that the premaster secret is malformed).

The Klíma-Pokorný-Rosa attack exploits server responses to an incorrect or unexpected SSL/TLS version number that is included as part of the premaster secret (RFC 2246 section 7.4.7.1). If a server decrypts a properly formatted PKCS #1 premaster secret and discovers that the SSL/TLS version number is not what was expected, the server may immediately send an error message ("Bad SSL/TLS version number"). The authors term a server that exhibits this behavior a "bad version oracle (BVO)." Instead of using an error response to improper PKCS #1 formatting, this new attack uses an error response to an incorrect SSL/TLS version number. Klíma-Pokorný-Rosa have also introduced some optimizations to the Bleichenbacher attack, partly due to the SSL/TLS standard only using a subset of the PKCS #1 v1.5 format (section 3.2). This allows an attacker to search less space for the correct premaster secret.

This attack is feasible using widely available hardware. Under ideal laboratory conditions (100Mbps closed network, unloaded server with 2 X Pentium III 1.4GHz CPUs and 1 GB of RAM, Red Hat Linux 7.2, Apache 1.3.27/mod_ssl), the median time required for a successful attack is around 54.7 hours (~13 million guesses).

Since the SSL/TLS version number is a protocol-specific extension of the PKCS #1 format, other applications that use RSA/PKCS #1 to exchange keying information are not vulnerable to this attack. In particular, SSH1 using RSA only encrypts a session key. No version or other information is included. IKE authenticated with public key encryption is further protected by an ephemeral Diffe-Hellman exchange. For specific vendor information, see the Systems Affected section below.

Impact

An attacker who is able to capture an encrypted SSL/TLS session and query the server while it is using the same private RSA key that was used for the captured session could decrypt the captured session. An attacker could also forge a signature that appeared to be from the server (section 3.4).

Solution

Upgrade or Patch

Upgrade or apply a patch as specified by your vendor. In order to defeat this specific attack, an SSL/TLS server must not respond distinctively when a premaster secret sent by the client contains an incorrect or unexpected SSL/TLS version number. The paper recommends that an SSL/TLS server always replace the client-provided version number with the expected version number as determined from either the Client hello or Server hello messages (section 6.2).

Manage private keys

Use different private keys for different applications and servers and change keys as appropriate for your site and security policy. An attacker cannot decrypt a premaster secret encrypted with one RSA key by querying a server that uses a different key.
Monitor SSL/TLS applications and servers

Monitor RSA applications and servers for signs of attack. In the case of an attack against SSL/TLS web servers, logs may show a relatively high number of network connections and failed attempts to establish SSL/TLS sessions. Depending on baseline performance, servers may show increased CPU usage or an above average number of network connections.

Vendor Information

888801

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Apple Computer Inc. Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

Apple: The patch from the OpenSSL team to fix this vulnerability is available in Mac OS X 10.2.5, and may be obtained via: http://www.info.apple.com/support/downloads.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see CLSA-2003:625.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have addressed this issue in DSA 288

http://www.debian.org/security/2003/dsa-288

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks Affected

Notified: April 18, 2003 Updated: April 18, 2003

Status

Affected

Vendor Statement

F5 Networks has released a patch for the following products and versions:

BIG-IP versions 4.2 through 4.5
3-DNS versions 4.2 through 4.5
BIG-IP Blade Controller version 4.2.3 PTF-01

Patch locations and more information can be found here:

http://tech.f5.com/home/bigip/solutions/security/sol2379.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see FreeBSD-SA-03:06.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU TLS Affected

Notified: April 15, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in GnuTLS 0.8.5.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux Affected

Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://forums.gentoo.org/viewtopic.php?t=43402>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc. Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see ESA-20030320-010.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company Affected

Notified: April 18, 2003 Updated: April 29, 2003

Status

Affected

Vendor Statement

SOURCE: Hewlett-Packard Company HP Services Software Security Response Team
x-ref: SSRT3518, SSRT3499

At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products.

As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see HPSBUX0304-0255/SSRT3499.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Affected

Notified: April 18, 2003 Updated: June 17, 2003

Status

Affected

Vendor Statement

The AIX operating system does not ship with SSL. However, SSL is available for installation on AIX from the Linux Affinity Toolbox.

The Linux Affinity Toolbox contains OpenSSL 0.9.6g-3 which is not vulnerable to the issues discussed in CERT Vulnerability Note VU#888801 and any advisories which follow.

Users using an earlier version of OpenSSL should download the most recent version as soon as possible.

The Linux Affinity Toolbox is available at:

http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

This software is offered on an "as-is" and is unwarranted.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

Ingrian Networks has addressed the Klima-Pokorny-Rosa attack in release 2.9.0. See http://www.ingrian.com/support or your Ingrian service representative.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mirapoint Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

Mirapoint released a fix for the attack described by Klima-Pokorny-Rosa on February 21, 2003. Details of the patch that addresses this (D3_SSL) can be found on the Mirapoint secure support center.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD Affected

Notified: April 18, 2003 Updated: April 21, 2003

Status

Affected

Vendor Statement

No services using SSL/TLS are enabled by default in NetBSD, however, by enabling services built with these libraries, a system could become vulnerable to the compromise.
A description and resolution procedure is available here:

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-007.txt.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also the list of patches included in NetBSD 1.6.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.openbsd.org/errata32.html#kpr>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG Affected

Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see OpenPKG-SA-2003.026.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSL Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in OpenSSL 0.9.7b and 0.9.6j. OpenSSL has also posted an advisory that includes a patch for earlier versions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Notified: April 18, 2003 Updated: April 18, 2003

Status

Affected

Vendor Statement

Various Red Hat products have shipped with OpenSSL packages vulnerable to this issue. Updated OpenSSL packages that contain a backported security patch to protect against this vulnerability are available along with our advisories at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.
Red Hat Linux:

http://rhn.redhat.com/errata/RHSA-2003-101.html
Red Hat Enterprise Linux:

http://rhn.redhat.com/errata/RHSA-2003-102.html
Red Hat Stronghold Web Server 4 (Cross platform):

http://rhn.redhat.com/errata/RHSA-2003-116.html
Red Hat Stronghold Web Server 3:

http://rhn.redhat.com/errata/RHSA-2003-117.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Affected

Notified: April 18, 2003 Updated: May 15, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SGI Security Advisory 20030501-01-I.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSH Communications Security Affected

Notified: April 18, 2003 Updated: May 23, 2003

Status

Affected

Vendor Statement

SSH Communications Security Vendor statement for VU#888801

Not vulnerable products:

SSH Secure Shell for Servers (all versions)
SSH Secure Shell for Windows Servers (all versions)
SSH Secure Shell for Workstations (all versions)

The ssh1, ssh2 and ssh-agent protocols and applications are not vulnerable to the Klima-Pokorny-Rosa (KPR) attack because no error messages are reported from PKCS1 v1.5 decryption other than invalid PKCS1 padding. This implies there are no effective extensions to the Bleichenbacher attack such as the KPR attack against Secure Shell. The ssh1 and ssh-agent protocols have countermeasures against the Bleichenbacher attack and it is not applicable against ssh2.

Vulnerable products:

SSH Certificate/TLS Toolkit up to and including version 5.1.1
SSH IPSEC Express Toolkit up to and including version 5.1.1

A fix is available and has been delivered to SSH customers.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sorceror Linux Affected

Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.securityfocus.com/archive/1/315884/2003-03-19/2003-03-25/0>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Stonesoft Affected

Notified: April 18, 2003 Updated: June 02, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.stonesoft.com/document/art/2949.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SuSE-SA:2003:024.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux Affected

Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see TSL-2003-0013.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex Affected

Notified: April 18, 2003 Updated: April 18, 2003

Status

Affected

Vendor Statement

A patch has been made available, for more information please see:

http://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-001-01

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

eSoft Affected

Notified: April 18, 2003 Updated: June 02, 2003

Status

Affected

Vendor Statement

eSoft InstaGate software prior to version 3.1.20030425 is vulnerable. Customers can upgrade to version 3.1.20030425 through SoftPak Director.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

mod_ssl Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

mod_ssl itself is not directly vulnerable. To address this vulnerability in an Apache 1.3.x/mod_ssl system, however, mod_ssl needs to be linked against a patched/updated (0.9.7b/0.9.6j) version of OpenSSL.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Bitvise Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Clavister Not Affected

Notified: April 18, 2003 Updated: May 23, 2003

Status

Not Affected

Vendor Statement

Clavister Firewall: Not Vulnerable
Clavister VPN Client: Not Vulnerable

The IKE protocol is not vulnerable to the Klima-Pokorny-Rosa attack, as it does not provide the necessary "clues" for the Bad Version Oracle to work with.

Even IKE with RSA encryption, which is an unusual IKE mode of operation that Clavister products does not do, should be immune to this attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Covalent Not Affected

Updated: April 22, 2003

Status

Not Affected

Vendor Statement

Covalent Technologies SSL implementations are NOT vulnerable to this or other variants of the Klima-Pokorny-Rosa attacks. No action by Covalent Technologies customers using Covalent SSL products is necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cryptlib Not Affected

Notified: April 18, 2003 Updated: April 28, 2003

Status

Not Affected

Vendor Statement

cryptlib returns a purely boolean yes/no response to incorrect data in the RSA-encrypted premaster secret, with no specific error details provided. It is not vulnerable to the bad-version oracle attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreSSH Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Not Affected

Notified: April 18, 2003 Updated: June 02, 2003

Status

Not Affected

Vendor Statement

Fujitsu's UXP/V o.s. is not affected by the problem in VU#888801 because it does not support the RSA-based SSL/TLS.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU Libgcrypt Not Affected

Updated: April 22, 2003

Status

Not Affected

Vendor Statement

Libgcrypt only recently provides pkcs#1 creation within the library but there is no pkcs#1 parsing yet implemented. So Libgcrypt itself is too dumb to be affected. GnuPG is not affected because it is a store and forward system and not easily usable in an online setting.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU adns Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU glibc Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

...glibc doesn't do RSA.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi Not Affected

Notified: April 18, 2003 Updated: May 21, 2003

Status

Not Affected

Vendor Statement

Hitachi Web Server is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IP Filter Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KAME Project Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The KAME IKE daemon (racoon) does not support the "Authenticated With Public Key Encryption" exchange methods.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MacSSH Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netfilter Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

The netfilter/iptables subsystem of the linux kernel is not affected, since it doesn't include any SSL/TLS support.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PuTTY Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

PuTTY cannot be vulnerable to any attack of this type in the SSH1 transport layer, since it is an SSH client only and the RSA decryption is done in the server. An SSH agent could feasibly be vulnerable if it reported SSH_AGENT_FAILURE in response to PKCS encoding errors, but PuTTY's agent implementation (Pageant) will never do this, so it is believed safe.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RSA Security Not Affected

Notified: April 18, 2003 Updated: May 21, 2003

Status

Not Affected

Vendor Statement

RSA BSAFE SSL-C (all versions) SSLv3 and TLSv1 implementations are not vulnerable to the Klima-Pokorny-Rosa attack.

RSA BSAFE SSL-J SSLv3 and TLSv1 implementations are not vulnerable to the Klima-Pokorny-Rosa attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TTSSH/TeraTerm Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

TTSSH is not vulnerable because there is no way to get TTSSH to perform a large number of RSA operations automatically. We perform one or two RSA operations each time the user connects to the server, and every server connection requires user interaction.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VanDyke Software Inc. Not Affected

Notified: April 18, 2003 Updated: May 27, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WinSCP Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

djbdns Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

lsh Not Affected

Notified: April 18, 2003 Updated: April 22, 2003

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache-SSL Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BlueCat Networks Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BorderWare Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Crypto++ Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Entrust Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeS/WAN Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Global Technology Associates Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ISC Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

InfoBlox Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Initiative Japan (IIJ) Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Interpeak Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intersoft International Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intoto Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MDKSA-2003:035.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Massachusetts Institute of Technology (MIT) Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Men&Mice Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MetaSolv Software Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multi-Tech Systems Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MultiNet Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

National Center for Supercomputing Applications (NCSA) Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

National Institute of Standards and Technology (NIST) Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetScreen Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netcomposite Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Associates Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nixu Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nominum Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pragma Systems Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Redback Networks Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Riverstone Networks Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SafeNet Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Corporation Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SecureWorx Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ShadowSupport Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec Corporation Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Threshold Networks Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WatchGuard Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc. Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL Unknown

Notified: April 18, 2003 Updated: April 22, 2003

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

View all 118 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	0	AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal	0	E:ND/RL:ND/RC:ND
Environmental	0	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was researched and documented by Vlastimil Klíma, Ondᖞj Pokorný, and Tomáš Rosa.

This document was written by Art Manion.

Other Information

CVE IDs:	CVE-2003-0131
Severity Metric:	4.05
Date Public:	2003-03-19
Date First Published:	2003-04-23
Date Last Updated:	2004-08-25 17:58 UTC
Document Revision:	51

Software Engineering Institute

CERT Coordination Center

SSL/TLS implementations disclose side channel information via PKCS #1 v1.5 version number extension

Vulnerability Note VU#888801

Overview

Description

Impact

Solution

Vendor Information

Apple Computer Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Conectiva Affected

Status

Vendor Statement

Vendor Information

Addendum

Debian Affected

Status

Vendor Statement

Vendor Information

Addendum

F5 Networks Affected

Status

Vendor Statement

Vendor Information

Addendum

FreeBSD Affected

Status

Vendor Statement

Vendor Information

Addendum

GNU TLS Affected

Status

Vendor Statement

Vendor Information

Addendum

Gentoo Linux Affected

Status

Vendor Statement

Vendor Information

Addendum

Guardian Digital Inc. Affected

Status

Vendor Statement

Vendor Information

Addendum

Hewlett-Packard Company Affected

Status

Vendor Statement

Vendor Information

Addendum

IBM Affected

Status

Vendor Statement

Vendor Information

Addendum

Ingrian Networks Affected

Status

Vendor Statement

Vendor Information

Addendum

Mirapoint Affected

Status

Vendor Statement

Vendor Information

Addendum

NetBSD Affected

Status

Vendor Statement

Vendor Information

Addendum

OpenBSD Affected

Status

Vendor Statement

Vendor Information

Addendum

OpenPKG Affected