CVE-2008-5161
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
19/11/2008
Last modified:
09/04/2025
Description
Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K; and (2) OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.
Impact
Base Score 2.0
2.60
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:openbsd:openssh:4.7p1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.0.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.1j:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.2j:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:ssh:tectia_client:4.3.4:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://isc.sans.org/diary.html?storyid=5366
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
- http://marc.info/?l=bugtraq&m=125017764422557&w=2
- http://marc.info/?l=bugtraq&m=125017764422557&w=2
- http://openssh.org/txt/cbc.adv
- http://osvdb.org/49872
- http://osvdb.org/50035
- http://osvdb.org/50036
- http://rhn.redhat.com/errata/RHSA-2009-1287.html
- http://secunia.com/advisories/32740
- http://secunia.com/advisories/32760
- http://secunia.com/advisories/32833
- http://secunia.com/advisories/33121
- http://secunia.com/advisories/33308
- http://secunia.com/advisories/34857
- http://secunia.com/advisories/36558
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-247186-1
- http://support.apple.com/kb/HT3937
- http://support.attachmate.com/techdocs/2398.html
- http://support.avaya.com/elmodocs2/security/ASA-2008-503.htm
- http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
- http://www.kb.cert.org/vuls/id/958563
- http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/CPNI957037.html
- http://www.securityfocus.com/archive/1/498558/100/0/threaded
- http://www.securityfocus.com/archive/1/498579/100/0/threaded
- http://www.securityfocus.com/bid/32319
- http://www.securitytracker.com/id?1021235=
- http://www.securitytracker.com/id?1021236=
- http://www.securitytracker.com/id?1021382=
- http://www.ssh.com/company/news/article/953/
- http://www.vupen.com/english/advisories/2008/3172
- http://www.vupen.com/english/advisories/2008/3173
- http://www.vupen.com/english/advisories/2008/3409
- http://www.vupen.com/english/advisories/2009/1135
- http://www.vupen.com/english/advisories/2009/3184
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46620
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667
- https://kc.mcafee.com/corporate/index?page=content&id=SB10106
- https://kc.mcafee.com/corporate/index?page=content&id=SB10163
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11279
- http://isc.sans.org/diary.html?storyid=5366
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
- http://marc.info/?l=bugtraq&m=125017764422557&w=2
- http://marc.info/?l=bugtraq&m=125017764422557&w=2
- http://openssh.org/txt/cbc.adv
- http://osvdb.org/49872
- http://osvdb.org/50035
- http://osvdb.org/50036
- http://rhn.redhat.com/errata/RHSA-2009-1287.html
- http://secunia.com/advisories/32740
- http://secunia.com/advisories/32760
- http://secunia.com/advisories/32833
- http://secunia.com/advisories/33121
- http://secunia.com/advisories/33308
- http://secunia.com/advisories/34857
- http://secunia.com/advisories/36558
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-247186-1
- http://support.apple.com/kb/HT3937
- http://support.attachmate.com/techdocs/2398.html
- http://support.avaya.com/elmodocs2/security/ASA-2008-503.htm
- http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt
- http://www.kb.cert.org/vuls/id/958563
- http://www.rtpro.yamaha.co.jp/RT/FAQ/Security/CPNI957037.html
- http://www.securityfocus.com/archive/1/498558/100/0/threaded
- http://www.securityfocus.com/archive/1/498579/100/0/threaded
- http://www.securityfocus.com/bid/32319
- http://www.securitytracker.com/id?1021235=
- http://www.securitytracker.com/id?1021236=
- http://www.securitytracker.com/id?1021382=
- http://www.ssh.com/company/news/article/953/
- http://www.vupen.com/english/advisories/2008/3172
- http://www.vupen.com/english/advisories/2008/3173
- http://www.vupen.com/english/advisories/2008/3409
- http://www.vupen.com/english/advisories/2009/1135
- http://www.vupen.com/english/advisories/2009/3184
- https://exchange.xforce.ibmcloud.com/vulnerabilities/46620
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667
- https://kc.mcafee.com/corporate/index?page=content&id=SB10106
- https://kc.mcafee.com/corporate/index?page=content&id=SB10163
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11279