Common Vulnerabilities and Exposures assigned an identifier CVE-2008-7270 to the following vulnerability: OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180. References: http://cvs.openssl.org/chngview?cn=17489 https://bugzilla.redhat.com/show_bug.cgi?id=659462
(In reply to comment #0) > a different vulnerability than CVE-2010-4180. While CVE description lists these vulnerabilities as different, they are related. The use of SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG gives an attacker possibility to changed ciphersuite in the stored session (CVE-2010-4180). The impact of that flaw is greater in pre-0.9.8j versions, as session ciphersuite can be changed to one of those that are not enabled on the server side (CVE-2008-7270). See bug #659462, comment #0 for the details.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2010:0977 https://rhn.redhat.com/errata/RHSA-2010-0977.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0978 https://rhn.redhat.com/errata/RHSA-2010-0978.html
This issue has been addressed in following products: JBoss Enterprise Web Server 1.0 Via RHSA-2011:0896 https://rhn.redhat.com/errata/RHSA-2011-0896.html