CVE-2011-4619
published 2012-01-06CVE-2011-4619: The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows…
PriorityP430medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
16.64%
96.6th percentile
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | < openssl 1.0.0h-1 (bookworm) | openssl 1.0.0h-1 (bookworm) |
| openssl | openssl | <= 0.9.8r | — |
| openssl | openssl | <= 1.0.0e | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9866-p82r-56gj: The Server Gated Cryptography (SGC) implementation in OpenSSL before 0
ghsa_unreviewed·2022-05-17
CVE-2011-4619 [MEDIUM] GHSA-9866-p82r-56gj: The Server Gated Cryptography (SGC) implementation in OpenSSL before 0
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
OSV
CVE-2011-4619: The Server Gated Cryptography (SGC) implementation in OpenSSL before 0
osv·2012-01-06·CVSS 5.0
CVE-2011-4619 [MEDIUM] CVE-2011-4619: The Server Gated Cryptography (SGC) implementation in OpenSSL before 0
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
BSD
FreeBSD-SA-12:01.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2012-05-30·CVSS 9.3
CVE-2011-4109 [CRITICAL] FreeBSD-SA-12:01.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-12:01.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2012-05-03
Credits: Adam Langley, George Kadianakis, Ben Laurie,
Ivan Nestlerode, Tavis Ormandy
Affects: All supported versions of FreeBSD.
Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE)
2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE)
2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2)
2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8)
2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10)
2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE)
2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2)
CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109,
CVE-2012-0884, CVE-2012-2110
For gen
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2012-02-09·CVSS 2.6
CVE-2012-0027 [LOW] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Multiple vulnerabilities exist in OpenSSL that could expose
sensitive information or cause applications to crash.
It was discovered that the elliptic curve cryptography (ECC) subsystem
in OpenSSL, when using the Elliptic Curve Digital Signature Algorithm
(ECDSA) for the ECDHE_ECDSA cipher suite, did not properly implement
curves over binary fields. This could allow an attacker to determine
private keys via a timing attack. This issue only affected Ubuntu 8.04
LTS, Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. (CVE-2011-1945)
Adam Langley discovered that the ephemeral Elliptic Curve
Diffie-Hellman (ECDH) functionality in OpenSSL did not ensure thread
safety while processing handshake messages from clients. This
could allow a remote attacker to c
Red Hat
openssl: SGC restart DoS attack
vendor_redhat·2012-01-04·CVSS 5.0
CVE-2011-4619 [MEDIUM] openssl: SGC restart DoS attack
openssl: SGC restart DoS attack
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Package: openssl096b (Red Hat Enterprise Linux 4) - Will not fix
Package: openssl097a (Red Hat Enterprise Linux 5) - Will not fix
Package: openssl098e (Red Hat Enterprise Linux 6) - Will not fix
Debian
CVE-2011-4619: openssl - The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and ...
vendor_debian·2011·CVSS 5.0
CVE-2011-4619 [MEDIUM] CVE-2011-4619: openssl - The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and ...
The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
Scope: local
bookworm: resolved (fixed in 1.0.0h-1)
bullseye: resolved (fixed in 1.0.0h-1)
forky: resolved (fixed in 1.0.0h-1)
sid: resolved (fixed in 1.0.0h-1)
trixie: resolved (fixed in 1.0.0h-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
bugzilla·2012-09-20·CVSS 5.0
CVE-2013-0440 [MEDIUM] CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
A flaw was discovered in the SSL/TLS in JSSE component of OpenJDK, that allows malicious clients to make an SSL/TLS server use an excessive amount of CPU time by repeatedly sending ClientHello packets. Client can send pre-generated packet, causing the server to repeatedly perform expensive computations when generating ServerHello response.
This flaw is similar to OpenSSL CVE-2011-4619 (bug #771780), but the problem does not seem to be caused by an attempt to support server gated cryptography (SGC) and rather seems to be caused by an incorrect enforcing of the packet order during the SSL/TLS protocol handshake.
Note that the attacker needs to keep connection open and keep re-sending ClientHell
Bugzilla
CVE-2011-4108 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw-openssl various flaws [fedora-all]
bugzilla·2012-08-08·CVSS 4.3
CVE-2011-4108 [MEDIUM] CVE-2011-4108 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw-openssl various flaws [fedora-all]
CVE-2011-4108 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw-openssl various flaws [fedora-all]
+++ This bug was initially created as a clone of Bug #773330 +++
--- Additional comment from [email protected] on 2012-08-08 03:49:41 EDT ---
mingw*-openssl packages in fedora still on 1.0.0d, while the issues were fixed upstream in 1.0.0f. No backported patches it seems.
Discussion:
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZapp
Bugzilla
CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw32-openssl various flaws [epel-5]
bugzilla·2012-01-11·CVSS 4.3
CVE-2011-4108 [MEDIUM] CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw32-openssl various flaws [epel-5]
CVE-2011-4108 CVE-2011-4109 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw32-openssl various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraprojec
Bugzilla
CVE-2011-4108 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw32-openssl various flaws [fedora-all]
bugzilla·2012-01-11·CVSS 4.3
CVE-2011-4108 [MEDIUM] CVE-2011-4108 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw32-openssl various flaws [fedora-all]
CVE-2011-4108 CVE-2011-4576 CVE-2011-4577 CVE-2011-4619 mingw32-openssl various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/upda
Bugzilla
CVE-2011-4619 openssl: SGC restart DoS attack
bugzilla·2012-01-04·CVSS 5.0
CVE-2011-4619 [MEDIUM] CVE-2011-4619 openssl: SGC restart DoS attack
CVE-2011-4619 openssl: SGC restart DoS attack
SGC Restart DoS Attack (CVE-2011-4619)
Support for handshake restarts for server gated cryptograpy (SGC) can
be used in a denial-of-service attack.
Thanks to Adam Langley for identifying and fixing
this issue.
Affected users should upgrade to OpenSSL 1.0.0f or 0.9.8s.
Reference: http://openssl.org/news/secadv_20120104.txt
Discussion:
Seems to be the fix here:
http://cvs.openssl.org/chngview?cn=21940 (0.9.8)
http://cvs.openssl.org/chngview?cn=21927 (1.0.0)
---
This is the real commit for 0.9.8:
http://cvs.openssl.org/chngview?cn=21939
And for 1.0.0 this is also needed:
http://cvs.openssl.org/chngview?cn=21930
---
openssl-1.0.0f-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.aschttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.htmlhttp://marc.info/?l=bugtraq&m=132750648501816&w=2http://marc.info/?l=bugtraq&m=133728068926468&w=2http://marc.info/?l=bugtraq&m=133951357207000&w=2http://marc.info/?l=bugtraq&m=134039053214295&w=2http://rhn.redhat.com/errata/RHSA-2012-1306.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1307.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1308.htmlhttp://secunia.com/advisories/48528http://secunia.com/advisories/57353http://support.apple.com/kb/HT5784http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564http://www.debian.org/security/2012/dsa-2390http://www.kb.cert.org/vuls/id/737740http://www.mandriva.com/security/advisories?name=MDVSA-2012:006http://www.mandriva.com/security/advisories?name=MDVSA-2012:007http://www.openssl.org/news/secadv_20120104.txthttp://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.aschttp://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.htmlhttp://marc.info/?l=bugtraq&m=132750648501816&w=2http://marc.info/?l=bugtraq&m=133728068926468&w=2http://marc.info/?l=bugtraq&m=133951357207000&w=2http://marc.info/?l=bugtraq&m=134039053214295&w=2http://rhn.redhat.com/errata/RHSA-2012-1306.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1307.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1308.htmlhttp://secunia.com/advisories/48528http://secunia.com/advisories/57353http://support.apple.com/kb/HT5784http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564http://www.debian.org/security/2012/dsa-2390http://www.kb.cert.org/vuls/id/737740http://www.mandriva.com/security/advisories?name=MDVSA-2012:006http://www.mandriva.com/security/advisories?name=MDVSA-2012:007http://www.openssl.org/news/secadv_20120104.txt
2012-01-06
Published