{
  "threat_severity" : "Moderate",
  "public_date" : "2016-03-01T00:00:00Z",
  "bugzilla" : {
    "description" : "openssl: SSLv2 Bleichenbacher protection overwrites wrong bytes for export ciphers",
    "id" : "1310814",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1310814"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "details" : [ "An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.", "It was discovered that the SSLv2 protocol implementation in OpenSSL did not properly implement the Bleichenbacher protection for export cipher suites. An attacker could use a SSLv2 server using OpenSSL as a Bleichenbacher oracle." ],
  "acknowledgement" : "Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges David Adrian (University of Michigan) and J. Alex Halderman (University of Michigan) as the original reporters.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 4 Extended Lifecycle Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0306",
    "cpe" : "cpe:/o:redhat:rhel_els:4",
    "package" : "openssl-0:0.9.7a-43.23.el4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2015-04-13T00:00:00Z",
    "advisory" : "RHSA-2015:0800",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "openssl-0:0.9.8e-33.el5_11"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5.6 Long Life",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0304",
    "cpe" : "cpe:/o:redhat:rhel_mission_critical:5.6",
    "package" : "openssl-0:0.9.8e-12.el5_6.13"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5.9 Long Life",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0304",
    "cpe" : "cpe:/o:redhat:rhel_aus:5.9",
    "package" : "openssl-0:0.9.8e-26.el5_9.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2015-03-23T00:00:00Z",
    "advisory" : "RHSA-2015:0715",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "openssl-0:1.0.1e-30.el6_6.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2016-03-09T00:00:00Z",
    "advisory" : "RHSA-2016:0372",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "openssl098e-0:0.9.8e-20.el6_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.2 Advanced Update Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0303",
    "cpe" : "cpe:/o:redhat:rhel_mission_critical:6.2",
    "package" : "openssl-0:1.0.0-20.el6_2.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.4 Advanced Update Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0303",
    "cpe" : "cpe:/o:redhat:rhel_aus:6.4",
    "package" : "openssl-0:1.0.0-27.el6_4.5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6.5 Advanced Update Support",
    "release_date" : "2016-03-01T00:00:00Z",
    "advisory" : "RHSA-2016:0303",
    "cpe" : "cpe:/o:redhat:rhel_aus:6.5",
    "package" : "openssl-0:1.0.1e-16.el6_5.16"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2015-03-23T00:00:00Z",
    "advisory" : "RHSA-2015:0716",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "openssl-1:1.0.1e-42.el7_1.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2016-03-09T00:00:00Z",
    "advisory" : "RHSA-2016:0372",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "openssl098e-0:0.9.8e-29.el7_2.3"
  }, {
    "product_name" : "Red Hat Storage 2.1",
    "release_date" : "2015-03-30T00:00:00Z",
    "advisory" : "RHSA-2015:0752",
    "cpe" : "cpe:/a:redhat:storage:2.1:server:el6",
    "package" : "openssl-0:1.0.1e-30.el6_6.7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "openssl097a",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Under investigation",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 1",
    "fix_state" : "Under investigation",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Under investigation",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 3",
    "fix_state" : "Under investigation",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-0704\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-0704\nhttps://www.openssl.org/news/secadv/20160301.txt" ],
  "name" : "CVE-2016-0704",
  "csaw" : false
}