Title: OpenSSL Unseeded Random Number Generator Vulnerability
Severity: MODERATE
Description:
A design error exists in some versions of OpenSSL that may lead to the disclosure of sensitive information.
The problem exists because the SSL_connect() function, used to initiate the TLS/SSL handshake with a server, does not ensure that the underlying pseudo-random number generator is properly seeded before initiating a SSL connection.
This may lead in the disclosure of sensitive information by applications using the OpenSSL toolkit if the random number generator is not initialized.
This problem is known to affect qmail's unofficial 'tls.patch' patch, which fails to seed the random number generator.
Affected Products:
- Debian Linux 3.0.0
- OpenBSD OpenBSD 2.6.0
- OpenSSL Project OpenSSL 0.9.1 c
- OpenSSL Project OpenSSL 0.9.2 b
- OpenSSL Project OpenSSL 0.9.3
- OpenSSL Project OpenSSL 0.9.4
References:
- OpenSSL Project: OpenSSL Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
