Ask the Community
Groups
CVE-2012-4929: CRIME SSL/TLS Injection vulnerability - Connect IT Community | Kaseya
<main> <article class="userContent"> <h3 data-id="cve-id"><strong>CVE ID</strong></h3> <p>CVE-2012-4929</p> <h3 data-id="description"><strong>DESCRIPTION</strong></h3> <p></p> <p>Unitrends has reviewed the penetration test results that were forwarded to our attention on May 29, 2014. We have correlated the results with Common Vulnerabilities and Exposures item CVE-2012-4929.<br><br>Unitrends Recovery-Series appliances are not impacted by this CVE.<br><br>Details:</p> <ul><li>NIST rates this as Severity LOW.</li> <li>Vulnerability requires network access to the appliance and an HTTPS/SPDY connection to capture data</li> <li>Backup data is not exposed. Transferring backup data does not use HTTPS.</li> <li>The HTTPS web login credentials are not exposed because SSL compression is not used (not SPDY).</li> <li>Support tunnel connections use SSH rather than HTTPS/SPDY, so that is not exposed.</li> <li>Replication does do SSL+compression, but spoofing it would require root access to the system.<br> </li> </ul><h3 data-id="resolution"><strong>RESOLUTION</strong></h3> <p>Fixed in: </p> <ul><li>CentOS5 openssl-0.9.8e-26.el5_9.1 or later</li> <li>CentOS6 openssl-1.0.0-27.el6_4.2 or later</li> </ul> To update to the new version with the fix, either do 'yum update openssl' from the command line, or perform an update from the UI.<br> <h3 data-id="link-to-advisories"><strong>LINK TO ADVISORIES</strong></h3> <p></p> <ul><li><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Faccess.redhat.com%2Fsecurity%2Fcve%2FCVE-2012-4929%250D%250Ahttps%3A%2F%2Fcve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3DCVE-2012-4929">https://access.redhat.com/security/cve/CVE-2012-4929 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929</a></li></ul> </article> </main>