CVE-2015-3197

high-risk

Published 2016-02-15

ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

Do I need to act?

!

21.9% chance of exploitation in next 30 days

EPSS score — higher than 78% of all CVEs

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

5

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (20)

Exalogic Infrastructure

Peoplesoft Enterprise Peopletools

Peoplesoft Enterprise Peopletools

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Openssl

Oss Support Tools

Affected Vendors

Oracle Openssl

References (72)

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759

http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176373.ht...

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.html

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.html

Vendor Advisory http://www.openssl.org/news/secadv/20160128.txt

Patch http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

and 52 more references

56

/ 100

high-risk

Severity 18/34 · Moderate

Exploitability 14/34 · Moderate

Exposure 24/34 · High