{
  "threat_severity" : "Low",
  "public_date" : "2016-01-28T00:00:00Z",
  "bugzilla" : {
    "description" : "OpenSSL: SSLv2 doesn't block disabled ciphers",
    "id" : "1301846",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1301846"
  },
  "cvss" : {
    "cvss_base_score" : "5.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:N",
    "status" : "verified"
  },
  "details" : [ "ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.", "A flaw was found in the way malicious SSLv2 clients could negotiate SSLv2 ciphers that were disabled on the server. This could result in weak SSLv2 ciphers being used for SSLv2 connections, making them vulnerable to man-in-the-middle attacks." ],
  "statement" : "This security flaw can only be exploited when a malicious client negotiates SSLv2 ciphers and completes a SSLv2 handshake. This flaw cannot be actively exploited by a Man-In-The-Middle attacker. \nAll versions of OpenSSL shipped with Red Hat Enterprise Linux enable SSLv2 protocol, but disable SSLv2 ciphers by default (in Red Hat Enterprise Linux 6 and later), therefore are vulnerable to this flaw. Red Hat Product Security has rated this issue as having Low security impact, a future update may address this flaw.\nSSLv2 suffers from a number of security flaws allowing attackers to capture and alter information passed between a client and the server. Therefore we strongly recommend that SSLv2 should be disabled on all the SSL/TLS servers.",
  "acknowledgement" : "Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Nimrod Aviram and Sebastian Schinzel as the original reporters.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 4 Extended Lifecycle Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0306",
    "cpe" : "cpe:/o:redhat:rhel_els:4",
    "package" : "openssl-0:0.9.7a-43.23.el4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0302",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "openssl-0:0.9.8e-39.el5_11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5.6 Long Life",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0304",
    "cpe" : "cpe:/o:redhat:rhel_mission_critical:5.6",
    "package" : "openssl-0:0.9.8e-12.el5_6.13"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5.9 Long Life",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0304",
    "cpe" : "cpe:/o:redhat:rhel_aus:5.9",
    "package" : "openssl-0:0.9.8e-26.el5_9.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0301",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "openssl-0:1.0.1e-42.el6_7.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-03-09T00:00:00Z",
    "advisory" : "RHSA-2016:0372",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "openssl098e-0:0.9.8e-20.el6_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.2 Advanced Update Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0303",
    "cpe" : "cpe:/o:redhat:rhel_mission_critical:6.2",
    "package" : "openssl-0:1.0.0-20.el6_2.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.4 Advanced Update Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0303",
    "cpe" : "cpe:/o:redhat:rhel_aus:6.4",
    "package" : "openssl-0:1.0.0-27.el6_4.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.5 Advanced Update Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0303",
    "cpe" : "cpe:/o:redhat:rhel_aus:6.5",
    "package" : "openssl-0:1.0.1e-16.el6_5.16"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.6 Extended Update Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0305",
    "cpe" : "cpe:/o:redhat:rhel_eus:6.6",
    "package" : "openssl-0:1.0.1e-30.el6_6.12"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0301",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "openssl-1:1.0.1e-51.el7_2.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-03-09T00:00:00Z",
    "advisory" : "RHSA-2016:0372",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "openssl098e-0:0.9.8e-29.el7_2.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.1 Extended Update Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0305",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.1",
    "package" : "openssl-1:1.0.1e-42.ael7b_1.10"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4",
    "release_date" : "2016-03-22T00:00:00Z",
    "advisory" : "RHSA-2016:0490",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6.4",
    "package" : "openssl"
  }, {
    "product_name" : "Red Hat JBoss Web Server 2.1",
    "release_date" : "2016-03-14T00:00:00Z",
    "advisory" : "RHSA-2016:0445",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1",
    "package" : "openssl"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3.0",
    "release_date" : "2016-03-14T00:00:00Z",
    "advisory" : "RHSA-2016:0446",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0"
  }, {
    "product_name" : "RHEV 3.X Hypervisor and Agents for RHEL-6",
    "release_date" : "2016-03-09T00:00:00Z",
    "advisory" : "RHSA-2016:0379",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6::hypervisor",
    "package" : "rhev-hypervisor7-0:7.2-20160302.1.el6ev"
  }, {
    "product_name" : "RHEV 3.X Hypervisor and Agents for RHEL-7",
    "release_date" : "2016-03-09T00:00:00Z",
    "advisory" : "RHSA-2016:0379",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "rhev-hypervisor7-0:7.2-20160302.1.el7ev"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Affected",
    "package_name" : "openssl097a",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux Extended Update Support 6.7",
    "fix_state" : "Affected",
    "package_name" : "guest-images",
    "cpe" : "cpe:/o:redhat:rhel_eus:6.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux Extended Update Support 7.2",
    "fix_state" : "Affected",
    "package_name" : "rhel-guest-image",
    "cpe" : "cpe:/o:redhat:rhel_eus:7.2"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 1",
    "fix_state" : "Will not fix",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 3",
    "fix_state" : "Affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-3197\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3197\nhttps://www.openssl.org/news/secadv/20160128.txt" ],
  "name" : "CVE-2015-3197",
  "csaw" : false
}