{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-1968", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "assignerShortName": "openssl", "datePublished": "2020-09-09T13:50:12.423004Z", "dateUpdated": "2024-09-16T19:50:54.434Z", "dateReserved": "2019-12-03T00:00:00"}, "containers": {"cna": {"title": "Raccoon attack", "datePublic": "2020-09-09T00:00:00", "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2022-10-16T00:00:00"}, "descriptions": [{"lang": "en", "value": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v)."}], "affected": [{"vendor": "OpenSSL", "product": "OpenSSL", "versions": [{"version": "Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v)", "status": "affected"}]}], "references": [{"url": "https://www.openssl.org/news/secadv/20200909.txt"}, {"name": "USN-4504-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4504-1/"}, {"name": "[debian-lts-announce] 20200925 [SECURITY] [DLA 2378-1] openssl1.0 security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html"}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"url": "https://security.netapp.com/advisory/ntap-20200911-0004/"}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"name": "GLSA-202210-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-02"}], "credits": [{"lang": "en", "value": "Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky"}], "metrics": [{"other": {"type": "unknown", "content": {"lang": "eng", "url": "https://www.openssl.org/policies/secpolicy.html#Low", "value": "Low"}}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Protocol flaw"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:54:00.367Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.openssl.org/news/secadv/20200909.txt", "tags": ["x_transferred"]}, {"name": "USN-4504-1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4504-1/"}, {"name": "[debian-lts-announce] 20200925 [SECURITY] [DLA 2378-1] openssl1.0 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html"}, {"url": "https://www.oracle.com/security-alerts/cpujan2021.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20200911-0004/", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuApr2021.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_transferred"]}, {"name": "GLSA-202210-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-02"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "A05055C5-49F7-4B9F-B2DC-D192296C41F0", "versionEndIncluding": "1.0.2v", "versionStartIncluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*", "matchCriteriaId": "0B1CAD50-749F-4ADB-A046-BF3585677A58", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", "matchCriteriaId": "D0A735B4-4F3C-416B-8C08-9CB21BAD2889", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "matchCriteriaId": "7E1E416B-920B-49A0-9523-382898C2979D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*", "matchCriteriaId": "D9DB4A14-2EF5-4B54-95D2-75E6CF9AA0A9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oracle:ethernet_switch_es2-64_firmware:2.0.0.14:*:*:*:*:*:*:*", "matchCriteriaId": "8B0403A9-E552-48CA-9CD5-31B48684FF70", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:oracle:ethernet_switch_es2-64:-:*:*:*:*:*:*:*", "matchCriteriaId": "D4AB93AB-A30F-40AE-8246-10036FF077FE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oracle:ethernet_switch_es2-72_firmware:2.0.0.14:*:*:*:*:*:*:*", "matchCriteriaId": "4F58DF8F-5478-4E00-BF9D-14BA3B79DA99", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:oracle:ethernet_switch_es2-72:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D4E5146-C8E3-40D2-93D9-F9E85768A5B4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C3CF24D-2DE4-4E3B-B36E-D952D0E65E0B", "versionEndExcluding": "xcp2400", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "983D27DE-BC89-454E-AE47-95A26A3651E2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F742415-8605-4B83-9410-BDA07BABF740", "versionEndExcluding": "xcp2400", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*", "matchCriteriaId": "5825AEE1-B668-40BD-86A9-2799430C742C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E9ED009-8D47-430C-9F59-EE09ECF2299E", "versionEndExcluding": "xcp2400", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*", "matchCriteriaId": "3DA2D526-BDCF-4A65-914A-B3BA3A0CD613", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9AB0DC35-F821-49BA-A5F1-45DD086915B0", "versionEndExcluding": "xcp2400", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE0CF40B-E5BD-4558-9321-184D58EF621D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DF75FC1-C88D-45DA-BBD0-7EB0B9EED343", "versionEndExcluding": "xcp2400", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*", "matchCriteriaId": "0F3C9C09-7B2B-4DB6-8BE0-35302ED35776", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9762A1D1-ED90-4E9C-B672-2499ABA48C46", "versionEndExcluding": "xcp2400", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*", "matchCriteriaId": "95503CE5-1D06-4092-A60D-D310AADCAFB1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "4D2AB72D-52FB-4D23-95FD-D10958F8B936", "versionEndExcluding": "xcp3100", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "983D27DE-BC89-454E-AE47-95A26A3651E2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1198FC6-A33A-4F4D-9643-51DEE8D46E17", "versionEndExcluding": "xcp3100", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-4:-:*:*:*:*:*:*:*", "matchCriteriaId": "5825AEE1-B668-40BD-86A9-2799430C742C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "12F2A182-B9A0-4011-9791-435C5709E313", "versionEndExcluding": "xcp3100", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m10-4s:-:*:*:*:*:*:*:*", "matchCriteriaId": "3DA2D526-BDCF-4A65-914A-B3BA3A0CD613", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B037D0E6-B857-4539-ADDC-FE2ADC2B0C2F", "versionEndExcluding": "xcp3100", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-1:-:*:*:*:*:*:*:*", "matchCriteriaId": "EE0CF40B-E5BD-4558-9321-184D58EF621D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "968A6DC3-9E0B-4FBD-8AAB-2ECD8CE47D23", "versionEndExcluding": "xcp3100", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-2:-:*:*:*:*:*:*:*", "matchCriteriaId": "0F3C9C09-7B2B-4DB6-8BE0-35302ED35776", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "C219921D-966D-4EAC-A129-9D4BFE6FCD36", "versionEndExcluding": "xcp3100", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:fujitsu:m12-2s:-:*:*:*:*:*:*:*", "matchCriteriaId": "95503CE5-1D06-4092-A60D-D310AADCAFB1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oracle:ethernet_switch_es1-24_firmware:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "EDA6CD79-6D03-44C6-BA41-F190E5037EF3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:oracle:ethernet_switch_es1-24:-:*:*:*:*:*:*:*", "matchCriteriaId": "62136C7B-992F-4889-9394-B233533636E3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:oracle:ethernet_switch_tor-72_firmware:1.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "FCDF5167-832D-4483-AD01-6534111196FB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:oracle:ethernet_switch_tor-72:-:*:*:*:*:*:*:*", "matchCriteriaId": "03657F1F-618B-479D-AD29-BB58AF1A3819", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v)."}, {"lang": "es", "value": "El ataque Raccoon explota un fallo en la especificaci\u00f3n TLS que puede conllevar a que un atacante sea capaz de calcular el secreto pre-master en conexiones que han usado un conjunto de cifrado basado en Diffie-Hellman (DH). En tal caso, esto har\u00eda que el atacante pudiera espiar todas las comunicaciones cifradas enviadas por medio de esa conexi\u00f3n TLS. El ataque solo puede ser explotado si una implementaci\u00f3n reutiliza un secreto de DH en varias conexiones TLS. Tome en cuenta que este problema solo afecta a los conjuntos de cifrado DH y no a los conjuntos de cifrado ECDH. Este problema afecta a OpenSSL versi\u00f3n 1.0.2, que no es compatible y ya no recibe actualizaciones p\u00fablicas. OpenSSL versi\u00f3n 1.1.1 no es vulnerable a este problema. Corregido en OpenSSL versi\u00f3n 1.0.2w (Afectadas versiones 1.0.2-1.0.2v)."}], "id": "CVE-2020-1968", "lastModified": "2024-11-21T05:11:45.367", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-09T14:15:12.507", "references": [{"source": "openssl-security@openssl.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html"}, {"source": "openssl-security@openssl.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-02"}, {"source": "openssl-security@openssl.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200911-0004/"}, {"source": "openssl-security@openssl.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4504-1/"}, {"source": "openssl-security@openssl.org", "tags": ["Vendor Advisory"], "url": "https://www.openssl.org/news/secadv/20200909.txt"}, {"source": "openssl-security@openssl.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "openssl-security@openssl.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "openssl-security@openssl.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "openssl-security@openssl.org", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "openssl-security@openssl.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200911-0004/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4504-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.openssl.org/news/secadv/20200909.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "openssl: Information exposure when DH secret are reused across multiple TLS connections", "id": "1877458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1877458"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-385->CWE-200", "details": ["The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).", "A flaw was found in openssl in versions 1.0.2 to 1.0.2w. A Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The highest threat from this vulnerability is to data confidentiality."], "mitigation": {"lang": "en:us", "value": "In OpenSSL 1.0.2e and below, this flaw can be mitigated by not enabling any ciphersuites with Diffie Hellman (DH), excluding ciphersuites using Elliptic Curve Diffie Hellman (ECDH).\nIn OpenSSL 1.0.2f and above, this flaw can be mitigated by not enabling static DH ciphersuites. Such ciphersuites start with `DH-` in OpenSSL and are mapped to IANA names that start with `TLS_DH_`, excluding ciphersuites that start with `TLS_DH_anon`. Following this convention, we see that `DH-RSA-AES256-GCM-SHA384` with IANA name `TLS_DH_RSA_WITH_AES_256_GCM_SHA384` is affected and should not be used in a mitigation of this flaw. However, `ECDH-RSA-AES128-GCM-SHA256` with IANA name `TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256` is not affected and may be used in a mitigation to this flaw, as it does not follow the `DH-` or `TLS_DH_` naming convention."}, "name": "CVE-2020-1968", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "openssl097a", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssl098e", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "openssl098e", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "ovmf", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "compat-openssl10", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "mingw-openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "jbcs-httpd24-openssl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Out of support scope", "package_name": "jbcs-httpd24-openssl", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 2"}], "public_date": "2020-09-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-1968\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-1968\nhttps://raccoon-attack.com/RacoonAttack.pdf"], "statement": "openssl 1.1.0i as bundled in the ovmf package shipped with Red Hat Enterprise Linux 7 supplementary rpms is not affected by this flaw. openssl 1.1.1 as shipped in Red Hat Enterprise Linux 8 is also not affected.\nRed Hat Advanced Cluster Management for Kubernetes does not use the vulnerable cipher suites, so it is not impacted by this flaw.", "threat_severity": "Low"}

{}