CVE-2012-4929: CRIME SSL/TLS Injection vulnerability

CVE ID

CVE-2012-4929

DESCRIPTION

Unitrends has reviewed the penetration test results that were forwarded to our attention on May 29, 2014. We have correlated the results with Common Vulnerabilities and Exposures item CVE-2012-4929.

Unitrends Recovery-Series appliances are not impacted by this CVE.

Details:

  • NIST rates this as Severity LOW.
  • Vulnerability requires network access to the appliance and an HTTPS/SPDY connection to capture data
  • Backup data is not exposed. Transferring backup data does not use HTTPS.
  • The HTTPS web login credentials are not exposed because SSL compression is not used (not SPDY).
  • Support tunnel connections use SSH rather than HTTPS/SPDY, so that is not exposed.
  • Replication does do SSL+compression, but spoofing it would require root access to the system.
     

RESOLUTION

Fixed in:

  • CentOS5 openssl-0.9.8e-26.el5_9.1 or later
  • CentOS6 openssl-1.0.0-27.el6_4.2 or later
To update to the new version with the fix, either do 'yum update openssl' from the command line, or perform an update from the UI.
 

LINK TO ADVISORIES

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us