redmine2.3 CVE-2014-0160 CVE-2015-2808 CVE-2014-3566 problem

Added by lin qiang over 1 year ago

There are some leak CVE-2014-0160 CVE-2015-2808 CVE-2014-3566 in the redmine2.3 envirment, who can help to resolv the problem, thanks

Replies (2)

RE: redmine2.3 CVE-2014-0160 CVE-2015-2808 CVE-2014-3566 problem - Added by lin qiang over 1 year ago

CVE-2014-0160
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CVE-2015-2808
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

CVE-2014-3566
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.

RE: redmine2.3 CVE-2014-0160 CVE-2015-2808 CVE-2014-3566 problem - Added by Hinako Tajima over 1 year ago

These three vulnerabilities are related to Open SSL which does not bring a direct effection on Redmine.
This vulnerabilities' problems will not be able to resolve by Redmine, it needs to be different approach such as OS update.
Now that Redmine 2.3 is a far old version which released 6 years ago. For now, you will find a reliable amount of security vulnerabilities have been fixed since Redmine 2.3 to 4.0, I recommend you to update Redmine as well as OS environment.

(1-2/2)