Description

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

References

• APPLE-APPLE-SA-2013-06-04-1
• BID-55704
• CVE-2012-4929
• DEBIAN-DSA-2579
• DEBIAN-DSA-2627
• DEBIAN-DSA-3253
• OVAL-OVAL18920
• REDHAT-RHSA-2013:0587

Solution

Related Vulnerabilities

• OS X update for OpenSSL (CVE-2012-4929)
• HP-UX: CVE-2012-4929: Running Apache, Remote Denial of Service (DoS), Execution of Arbitrary Code and other vulnerabilities
• OS X update for Note (CVE-2012-4929)
• F5 Networks: K14054 (CVE-2012-4929): CRIME vulnerability via TLS 1.2 protocol CVE-2012-4929
• DSA-2627-1 nginx -- information leak
• Gentoo Linux: CVE-2012-4929: Apache HTTP Server: Multiple vulnerabilities
• Cent OS: CVE-2012-4929: CESA-2013:0587 (openssl)
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
• Amazon Linux AMI: Security patch for openssl (ALAS-2013-171) (multiple CVEs)
• DSA-2626-1 lighttpd -- several issues
• RHSA-2014:0416: rhevm-spice-client security update
• RHSA-2013:0587: openssl security update
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 4
• ELSA-2013-0587 Moderate: Oracle Linux openssl security update
• USN-1898-1: OpenSSL vulnerability
• DSA-3253-1 pound -- security update
• SUSE Linux Security Vulnerability: CVE-2012-4929
• DSA-2579-1 apache2 -- Multiple issues
• Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 3
• USN-1627-1: Apache HTTP Server vulnerabilities
• RHSA-2013:0636: rhev-hypervisor6 security and bug fix update
• USN-1628-1: Qt vulnerability
• Oracle Linux: CVE-2012-4929: ELSA-2016-3558 - openssl security update