CVE-2009-3555

09.11.2009, 17:30

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Vector
NIST	NIST	5.8 UNKNOWN	NETWORK	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:P
redhat	CNA	---			---
CVE	ADP	---			---

Base Score

CVSS 3.x

EPSS Score

Percentile: 85%

Vendor	Product	Version
apache	http_server	𝑥 ≤ 2.2.14
gnu	gnutls	𝑥 ≤ 2.8.5
mozilla	nss	𝑥 ≤ 3.12.4
openssl	openssl	𝑥 ≤ 0.9.8k
openssl	openssl	1.0
canonical	ubuntu_linux	8.04
canonical	ubuntu_linux	8.10
canonical	ubuntu_linux	9.04
canonical	ubuntu_linux	9.10
canonical	ubuntu_linux	10.04
canonical	ubuntu_linux	10.10
debian	debian_linux	4.0
debian	debian_linux	5.0
debian	debian_linux	6.0
debian	debian_linux	7.0
debian	debian_linux	8.0
f5	nginx	0.1.0 ≤ 𝑥 ≤ 0.8.22

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

apache2

bullseye	2.4.62-1~deb11u1 fixed
lenny	no-dsa
squeeze	no-dsa
jessie	no-dsa
bullseye (security)	2.4.62-1~deb11u2 fixed
bookworm	2.4.62-1~deb12u1 fixed
bookworm (security)	2.4.62-1~deb12u2 fixed
sid	2.4.62-3 fixed
trixie	2.4.62-3 fixed

lighttpd

bullseye (security)	1.4.59-1+deb11u2 fixed
bullseye	1.4.59-1+deb11u2 fixed
lenny	no-dsa
squeeze	no-dsa
jessie	no-dsa
bookworm	1.4.69-1 fixed
sid	1.4.76-1 fixed
trixie	1.4.76-1 fixed

nginx

bullseye (security)	1.18.0-6.1+deb11u3 fixed
bullseye	1.18.0-6.1+deb11u3 fixed
lenny	no-dsa
squeeze	no-dsa
jessie	no-dsa
bookworm	1.22.1-9 fixed
sid	1.26.0-3 fixed
trixie	1.26.0-3 fixed

nss

bullseye	2:3.61-1+deb11u3 fixed
lenny	no-dsa
squeeze	no-dsa
jessie	no-dsa
bullseye (security)	2:3.61-1+deb11u4 fixed
bookworm	2:3.87.1-1 fixed
sid	2:3.105-2 fixed
trixie	2:3.105-2 fixed

openssl

bullseye	1.1.1w-0+deb11u1 fixed
lenny	no-dsa
squeeze	no-dsa
jessie	no-dsa
bullseye (security)	1.1.1w-0+deb11u2 fixed
bookworm	3.0.14-1~deb12u1 fixed
bookworm (security)	3.0.14-1~deb12u2 fixed
sid	3.3.2-2 fixed
trixie	3.3.2-2 fixed

pound

bullseye	3.0-2 fixed
lenny	no-dsa
squeeze	no-dsa
jessie	no-dsa
sid	4.14-2 fixed
trixie	4.14-2 fixed

tomcat-native

bullseye	1.2.26-1 fixed
lenny	no-dsa
squeeze	no-dsa
jessie	no-dsa
bookworm	1.2.35-1 fixed
sid	1.3.1-1 fixed
trixie	1.3.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

apache2

lucid	Fixed 2.2.14-2ubuntu1 released
karmic	Fixed 2.2.12-1ubuntu2.1 released
jaunty	Fixed 2.2.11-2ubuntu2.5 released
intrepid	Fixed 2.2.9-7ubuntu3.5 released
hardy	Fixed 2.2.8-1ubuntu0.14 released
dapper	Fixed 2.0.55-4ubuntu2.9 released

gnutls12

lucid	dne
karmic	dne
jaunty	dne
intrepid	dne
hardy	dne
dapper	ignored

gnutls13

lucid	dne
karmic	dne
jaunty	dne
intrepid	dne
hardy	ignored
dapper	dne

gnutls26

lucid	ignored
karmic	ignored
jaunty	ignored
intrepid	ignored
hardy	dne
dapper	dne

libapache-mod-ssl

lucid	dne
karmic	dne
jaunty	dne
intrepid	dne
hardy	dne
dapper	ignored

nss

lucid	Fixed 3.12.6-0ubuntu2 released
karmic	Fixed 3.12.6-0ubuntu0.9.10.1 released
jaunty	Fixed 3.12.6-0ubuntu0.9.04.1 released
intrepid	ignored
hardy	Fixed 3.12.6-0ubuntu0.8.04.1 released
dapper	dne

openjdk-6

lucid	not-affected
karmic	Fixed 6b16-1.6.1-3ubuntu3 released
jaunty	Fixed 6b14-1.4.1-0ubuntu13 released
intrepid	Fixed 6b12-0ubuntu6.7 released
hardy	Fixed 6b11-2ubuntu2.2 released
dapper	dne

openjdk-6b18

maverick	Fixed 6b18-1.8.2-4ubuntu1 released
lucid	not-affected
karmic	not-affected
intrepid	dne
hardy	dne
dapper	dne

openssl

lucid	Fixed 0.9.8k-7ubuntu8.1 released
karmic	Fixed 0.9.8g-16ubuntu3.2 released
jaunty	Fixed 0.9.8g-15ubuntu3.5 released
intrepid	ignored
hardy	Fixed 0.9.8g-4ubuntu3.10 released
dapper	Fixed 0.9.8a-7ubuntu0.12 released

sun-java6

maverick	Fixed 6.22-0ubuntu1~10.10 released
lucid	Fixed 6.22-0ubuntu1~10.04 released
karmic	Fixed 6.22-0ubuntu1~9.10.1 released
jaunty	Fixed 6.22-0ubuntu1~9.04.1 released
hardy	Fixed 6.22-0ubuntu1~9.04.1 released
dapper	dne