Products
Solutions
Customers
Partner
Resources
Company
Careers
Community

CVE Reference: CVE-2009-3555

NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE.

Original Page at CVE MITRE:
CVE-2009-3555

Description:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

CVE Status:
Candidate

References:

XF
  http://xforce.iss.net/xforce/xfdb/54158

UBUNTU
  http://www.ubuntu.com/usn/USN-1010-1
  http://www.ubuntu.com/usn/USN-927-5
  http://www.ubuntu.com/usn/USN-927-4
  http://www.ubuntu.com/usn/USN-927-1
  http://ubuntu.com/usn/usn-923-1

SUSE
  http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html
  http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html
  http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html
  http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html
  http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.html
  http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
  http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
  http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
  http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
  http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html

SUNALERT
  http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021653.1-1
  http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021752.1-1
  http://sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-273350-1
  http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1

ST
  1023148
  1023163
  1023204
  1023205
  1023206
  1023207
  1023208
  1023209
  1023210
  1023211
  1023212
  1023215
  1023216
  1023217
  1023218
  1023219
  1023243
  1023270
  1023271
  1023272
  1023273
  1023274
  1023275
  1023411
  1023426
  1023427
  1023428
  1023213
  1023214
  1023224
  1024789

SLACKWARE
  http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.597446

SAID
  Secunia Advisory: SA37291
  Secunia Advisory: SA37292
  Secunia Advisory: SA37320
  Secunia Advisory: SA37501
  Secunia Advisory: SA37504
  Secunia Advisory: SA37656
  Secunia Advisory: SA37675
  Secunia Advisory: SA37604
  Secunia Advisory: SA37640
  Secunia Advisory: SA37859
  Secunia Advisory: SA38056
  Secunia Advisory: SA38241
  Secunia Advisory: SA38484
  Secunia Advisory: SA38003
  Secunia Advisory: SA38020
  Secunia Advisory: SA38687
  Secunia Advisory: SA39136
  Secunia Advisory: SA39242
  Secunia Advisory: SA39243
  Secunia Advisory: SA39292
  Secunia Advisory: SA39317
  Secunia Advisory: SA37383
  Secunia Advisory: SA37399
  Secunia Advisory: SA37453
  Secunia Advisory: SA39278
  Secunia Advisory: SA38781
  Secunia Advisory: SA39500
  Secunia Advisory: SA39628
  Secunia Advisory: SA39461
  Secunia Advisory: SA39632
  Secunia Advisory: SA39713
  Secunia Advisory: SA39819
  Secunia Advisory: SA40070
  Secunia Advisory: SA39127
  Secunia Advisory: SA40545
  Secunia Advisory: SA40747
  Secunia Advisory: SA40866
  Secunia Advisory: SA41480
  Secunia Advisory: SA41490
  Secunia Advisory: SA41967
  Secunia Advisory: SA41972
  Secunia Advisory: SA42377
  Secunia Advisory: SA42379
  Secunia Advisory: SA42467
  Secunia Advisory: SA42811
  Secunia Advisory: SA42724
  Secunia Advisory: SA42733
  Secunia Advisory: SA42808
  Secunia Advisory: SA42816
  Secunia Advisory: SA43308
  Secunia Advisory: SA44183
  Secunia Advisory: SA44954
  Secunia Advisory: SA48577

REDHAT
  http://www.redhat.com/support/errata/RHSA-2011-0880.html
  http://www.redhat.com/support/errata/RHSA-2010-0987.html
  http://www.redhat.com/support/errata/RHSA-2010-0986.html
  http://www.redhat.com/support/errata/RHSA-2010-0865.html
  http://www.redhat.com/support/errata/RHSA-2010-0768.html
  http://www.redhat.com/support/errata/RHSA-2010-0807.html
  http://www.redhat.com/support/errata/RHSA-2010-0786.html
  http://www.redhat.com/support/errata/RHSA-2010-0770.html
  http://www.redhat.com/support/errata/RHSA-2010-0165.html
  http://www.redhat.com/support/errata/RHSA-2010-0130.html
  http://www.redhat.com/support/errata/RHSA-2010-0339.html
  http://www.redhat.com/support/errata/RHSA-2010-0338.html
  http://www.redhat.com/support/errata/RHSA-2010-0337.html
  http://www.redhat.com/support/errata/RHSA-2010-0167.html
  http://www.redhat.com/support/errata/RHSA-2010-0155.html
  http://www.redhat.com/support/errata/RHSA-2010-0119.html

OVAL
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8366
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7973
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7315
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11578
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10088
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:8535
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11617
  http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7478

OSVDB
  65202
  60972
  62210
  60521

OPENBSD
  http://openbsd.org/errata46.html#004_openssl
  http://openbsd.org/errata45.html#010_openssl

MS
  http://www.microsoft.com/technet/security/Bulletin/MS10-049.mspx

MLIST
  http://www.openwall.com/lists/oss-security/2009/11/23/10
  http://www.openwall.com/lists/oss-security/2009/11/20/1
  http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
  http://www.ietf.org/mail-archive/web/tls/current/msg03928.html
  http://www.openwall.com/lists/oss-security/2009/11/07/3
  http://www.openwall.com/lists/oss-security/2009/11/06/3
  http://www.openwall.com/lists/oss-security/2009/11/05/5
  http://www.openwall.com/lists/oss-security/2009/11/05/3
  http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.html
  http://marc.info/?l=cryptography&m=125752275331877&w=2
  http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2

MISC
  http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.09%20os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html
  http://clicky.me/tlsvuln
  http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html
  http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html
  http://www.links.org/?p=789
  http://www.links.org/?p=786
  http://blogs.iss.net/archive/sslmitmiscsrf.html
  http://www.tombom.co.uk/blog/?p=85
  http://www.links.org/?p=780
  http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
  http://www.betanews.com/article/1257452450
  http://extendedsubset.com/Renegotiating_TLS.pdf
  http://extendedsubset.com/?p=8

MANDRIVA
  http://www.mandriva.com/security/advisories?name=MDVSA-2010:089
  http://www.mandriva.com/security/advisories?name=MDVSA-2010:076
  http://www.mandriva.com/security/advisories?name=MDVSA-2010:084

HP
  http://www.securityfocus.com/archive/1/522176
  http://marc.info/?l=bugtraq&m=132077688910227&w=2
  http://marc.info/?l=bugtraq&m=130497311408250&w=2
  http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041
  http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751
  http://marc.info/?l=bugtraq&m=127419602507642&w=2
  http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686

GENTOO
  http://security.gentoo.org/glsa/glsa-201203-22.xml
  http://security.gentoo.org/glsa/glsa-200912-01.xml

FULLDISC
  http://seclists.org/fulldisclosure/2009/Nov/139

FEDORA
  http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049455.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049528.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049702.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.html
  http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html

DEBIAN
  http://www.debian.org/security/2011/dsa-2141
  http://www.debian.org/security/2009/dsa-1934

CONFIRM
  http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
  http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
  http://www.vmware.com/security/advisories/VMSA-2011-0003.html
  http://www.vmware.com/security/advisories/VMSA-2010-0019.html
  http://www-01.ibm.com/support/docview.wss?uid=swg24006386
  http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.html
  http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
  http://support.avaya.com/css/P8/documents/100114327
  http://support.avaya.com/css/P8/documents/100114315
  http://www-01.ibm.com/support/docview.wss?uid=swg21432298
  http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
  http://www.opera.com/support/search/view/944/
  http://www.opera.com/docs/changelogs/unix/1060/
  http://www.openoffice.org/security/cves/CVE-2009-3555.html
  http://support.apple.com/kb/HT4171
  http://support.apple.com/kb/HT4170
  http://support.avaya.com/css/P8/documents/100081611
  http://www-01.ibm.com/support/docview.wss?uid=swg21426108
  http://www.mozilla.org/security/announce/2010/mfsa2010-22.html
  http://support.avaya.com/css/P8/documents/100070150
  http://www.arubanetworks.com/support/alerts/aid-020810.txt
  http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released
  http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES
  http://support.apple.com/kb/HT4004
  http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html
  http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c
  http://www-01.ibm.com/support/docview.wss?uid=swg24025312
  http://www.ingate.com/Relnote.php?ver=481
  http://wiki.rpath.com/Advisories:rPSA-2009-0155
  http://sysoev.ru/nginx/patch.cve-2009-3555.txt
  http://support.citrix.com/article/CTX123359
  http://kbase.redhat.com/faq/docs/DOC-20491
  http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during

CISCO
  http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml

CERT-VN
  120541

CERT
  http://www.us-cert.gov/cas/techalerts/TA10-287A.html
  http://www.us-cert.gov/cas/techalerts/TA10-222A.html

BUGTRAQ
  http://archives.neohapsis.com/archives/bugtraq/2013-11/0120.html
  http://www.securityfocus.com/archive/1/archive/1/516397/100/0/threaded
  http://www.securityfocus.com/archive/1/archive/1/515055/100/0/threaded
  http://www.securityfocus.com/archive/1/archive/1/508130/100/0/threaded
  http://www.securityfocus.com/archive/1/archive/1/507952/100/0/threaded
  http://www.securityfocus.com/archive/1/archive/1/508075/100/0/threaded

BID
  36935

APPLE
  http://lists.apple.com/archives/security-announce/2010//May/msg00002.html
  http://lists.apple.com/archives/security-announce/2010//May/msg00001.html
  http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html

AIXAPAR
  http://www-01.ibm.com/support/docview.wss?uid=swg1IC68055
  http://www-01.ibm.com/support/docview.wss?uid=swg1IC68054
  http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247
  http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848
  http://www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=only


Return to the previous page.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer