A vulnerability has been reported in OpenSSL, which potentially can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an error in handling the use of SSL_OP_MSIE_SSLV2_RSA_PADDING option. The use of this option causes a verification check that prevents protocol-version rollback attacks to be disabled. This may be exploited in "man-in-the-middle" attacks to force a client and a server to negotiate the less secure SSL 2.0 protocol even when both parties support the more secure SSL 3.0 or TLS 1.0 protocols. The option is also enabled when the SSL_OP_ALL option is used.
Successful exploitation requires that SSL 2.0 is enabled, and either the SSL_OP_MSIE_SSLV2_RSA_PADDING or the SSL_OP_ALL option is used.
The vulnerability has been reported in all versions prior to 0.9.7h, and prior to 0.9.8a.
Applications that use the OpenSSL SSL/TLS server implementation are potentially affected.
Solution: Update to the fixed versions or apply patch.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org