Red Hat Customer Portal

Skip to main content

CVE-2009-3555

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Details Source

Mitre

Statement

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555

Additional information can be found in the Red Hat Knowledgebase article:
http://kbase.redhat.com/faq/docs/DOC-20491

Public Date

2009-11-05 00:00:00

Impact

Moderate

Bugzilla

CVE-2009-3555 TLS: MITM attacks via session renegotiation

Bugzilla ID

533 125

CVSS Status

verified

Base Score

4.30

Base Metrics

AV:N/AC:M/Au:N/C:N/I:P/A:N

IAVA

2011-A-0066

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux Supplementary 5 (java-1.4.2-ibm) RHSA-2010:0786 2010-10-20
Red Hat Enterprise Linux 4 RHSA-2010:0165 2010-03-25
Red Hat Enterprise Linux 4 (gnutls) RHSA-2010:0167 2010-03-25
RHEL 4 AS for SAP (java-1.4.2-ibm) RHSA-2010:0408 2010-05-12
Red Hat Enterprise Linux 4 (openssl) RHSA-2010:0163 2010-03-25
Red Hat Enterprise Virtualization Hypervisor 5 (rhev-hypervisor) RHSA-2010:0440 2010-05-25
Red Hat JBoss Web Server 1.0 for RHEL 4 AS (httpd22) RHSA-2010:0011 2010-01-06
Red Hat JBoss Web Server 1.0 for RHEL 4 AS RHSA-2010:0119 2010-02-23
Red Hat Enterprise Linux 5 (httpd) RHSA-2009:1579 2009-11-11
Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-ibm) RHSA-2010:0807 2010-10-27
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2010:0768 2010-10-13
Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) RHSA-2010:0865 2010-11-10
Red Hat Enterprise Linux AS version 3 Extras (java-1.4.2-ibm) RHSA-2010:0155 2010-03-17
Red Hat Enterprise Linux 5 (gnutls) RHSA-2010:0166 2010-03-25
Red Hat Enterprise Linux 5 RHSA-2010:0165 2010-03-25
Red Hat Enterprise Linux 5 (openssl097a) RHSA-2010:0164 2010-03-25
Red Hat Enterprise Linux 5 (openssl) RHSA-2010:0162 2010-03-25
Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-sun) RHSA-2010:0338 2010-04-01
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2010:0987 2010-12-15
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-sun) RHSA-2010:0337 2010-04-01
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-sun) RHSA-2010:0338 2010-04-01
RHEL 5 Server for SAP (java-1.4.2-ibm-sap) RHSA-2010:0986 2010-12-15
Red Hat Enterprise Linux 4 (httpd) RHSA-2009:1580 2009-11-11
Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-sun) RHSA-2010:0337 2010-04-01
Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-ibm) RHSA-2010:0130 2010-03-03
Red Hat Enterprise Linux AS version 4 Extras (java-1.4.2-ibm) RHSA-2010:0155 2010-03-17
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2010:0987 2010-12-15
Red Hat Satellite 5.4 (RHEL v.5) (java-1.6.0-ibm) RHSA-2011:0880 2011-06-16
RHEL 4 AS for SAP (java-1.4.2-ibm-sap) RHSA-2010:0986 2010-12-15
Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-ibm) RHSA-2010:0987 2010-12-15
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-sun) RHSA-2010:0770 2010-10-14
RHEL 5 Server for SAP (java-1.4.2-ibm) RHSA-2010:0408 2010-05-12
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2009:1694 2009-12-23
Red Hat Enterprise Linux for SAP 6 (java-1.4.2-ibm-sap) RHSA-2010:0986 2010-12-15
Red Hat Enterprise Linux AS version 3 Extras (java-1.4.2-ibm) RHSA-2010:0786 2010-10-20
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server RHSA-2010:0119 2010-02-23
Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server RHSA-2010:0011 2010-01-06
Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-ibm) RHSA-2009:1694 2009-12-23
Red Hat Enterprise Linux 3 (httpd) RHSA-2009:1579 2009-11-11
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2010:0807 2010-10-27
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2010:0130 2010-03-03
Red Hat Enterprise Linux 3 (openssl) RHSA-2010:0163 2010-03-25
Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-sun) RHSA-2010:0770 2010-10-14
Red Hat Enterprise Linux Supplementary 5 (java-1.4.2-ibm) RHSA-2010:0155 2010-03-17
Red Hat Enterprise Linux AS version 4 Extras (java-1.4.2-ibm) RHSA-2010:0786 2010-10-20
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2010:0339 2010-04-01

CWE

CWE-300

Affected Packages State

Platform Package State
Red Hat Satellite 6 pulp Affected