CVE-2009-1378

EUVD-2009-1376
Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
0.9.8 <
𝑥
< 0.9.8m
canonicalubuntu_linux
6.06
canonicalubuntu_linux
8.04
canonicalubuntu_linux
8.10
canonicalubuntu_linux
9.04
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
sid
3.3.2-2
fixed
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openssl
dapper
Fixed 0.9.8a-7ubuntu0.9
released
hardy
Fixed 0.9.8g-4ubuntu3.7
released
intrepid
Fixed 0.9.8g-10.1ubuntu2.4
released
jaunty
Fixed 0.9.8g-15ubuntu3.2
released
Common Weakness Enumeration
References
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc
http://cvs.openssl.org/chngview?cn=18188
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
http://marc.info/?l=openssl-dev&m=124247679213944&w=2
http://marc.info/?l=openssl-dev&m=124263491424212&w=2
http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
http://secunia.com/advisories/35128
http://secunia.com/advisories/35416
http://secunia.com/advisories/35461
http://secunia.com/advisories/35571
http://secunia.com/advisories/35729
http://secunia.com/advisories/36533
http://secunia.com/advisories/37003
http://secunia.com/advisories/38761
http://secunia.com/advisories/38794
http://secunia.com/advisories/38834
http://secunia.com/advisories/42724
http://secunia.com/advisories/42733
http://security.gentoo.org/glsa/glsa-200912-01.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049
http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net
http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:120
http://www.openwall.com/lists/oss-security/2009/05/18/1
http://www.redhat.com/support/errata/RHSA-2009-1335.html
http://www.securityfocus.com/bid/35001
http://www.securitytracker.com/id?1022241
http://www.ubuntu.com/usn/USN-792-1
http://www.vupen.com/english/advisories/2009/1377
http://www.vupen.com/english/advisories/2010/0528
https://kb.bluecoat.com/index?page=content&id=SA50
https://launchpad.net/bugs/cve/2009-1378
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11309
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7229
https://www.exploit-db.com/exploits/8720
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc
http://cvs.openssl.org/chngview?cn=18188
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
http://marc.info/?l=openssl-dev&m=124247679213944&w=2
http://marc.info/?l=openssl-dev&m=124263491424212&w=2
http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest
http://secunia.com/advisories/35128
http://secunia.com/advisories/35416
http://secunia.com/advisories/35461
http://secunia.com/advisories/35571
http://secunia.com/advisories/35729
http://secunia.com/advisories/36533
http://secunia.com/advisories/37003
http://secunia.com/advisories/38761
http://secunia.com/advisories/38794
http://secunia.com/advisories/38834
http://secunia.com/advisories/42724
http://secunia.com/advisories/42733
http://security.gentoo.org/glsa/glsa-200912-01.xml
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049
http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net
http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:120
http://www.openwall.com/lists/oss-security/2009/05/18/1
http://www.redhat.com/support/errata/RHSA-2009-1335.html
http://www.securityfocus.com/bid/35001
http://www.securitytracker.com/id?1022241
http://www.ubuntu.com/usn/USN-792-1
http://www.vupen.com/english/advisories/2009/1377
http://www.vupen.com/english/advisories/2010/0528
https://kb.bluecoat.com/index?page=content&id=SA50
https://launchpad.net/bugs/cve/2009-1378
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11309
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7229
https://www.exploit-db.com/exploits/8720