CVE-2012-4930
Publication date 15 September 2012
Last updated 24 July 2024
Ubuntu priority
The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
Status
Package | Ubuntu Release | Status |
---|---|---|
chromium-browser | ||
firefox | ||
openssl | ||
Notes
jdstrand
Firefox 15 disables compression For SPDY to be used with OpenSSL in any way, NPN must be available in openssl. This was not introduced until 1.0.1. No patch for upstream OpenSSL. This may be considered a flaw in the applications using OpenSSL and not OpenSSL itself.
Patch details
Package | Patch details |
---|---|
openssl |
References
Other references
- https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls
- https://bugzilla.redhat.com/show_bug.cgi?id=857737
- http://www.theregister.co.uk/2012/09/14/crime_tls_attack/
- http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091
- http://www.ekoparty.org/2012/thai-duong.php
- http://threatpost.com/en_us/blogs/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312
- http://isecpartners.com/blog/2012/9/14/details-on-the-crime-attack.html
- http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
- https://www.cve.org/CVERecord?id=CVE-2012-4930