Red Hat Customer Portal

Skip to main content

CVE-2009-3555

Impact:
Moderate
Public Date:
2009-11-05
IAVA:
2011-A-0066
CWE:
CWE-300
Bugzilla:
533125: CVE-2009-3555 TLS: MITM attacks via session renegotiation

The MITRE CVE dictionary describes this issue as:

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Find out more about CVE-2009-3555 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555

Additional information can be found in the Red Hat Knowledgebase article:
http://kbase.redhat.com/faq/docs/DOC-20491

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux Supplementary 5 (java-1.4.2-ibm) RHSA-2010:0786 2010-10-20
Red Hat Enterprise Linux 4 (nss) RHSA-2010:0165 2010-03-25
Red Hat Enterprise Linux 4 (gnutls) RHSA-2010:0167 2010-03-25
RHEL 4 AS for SAP (java-1.4.2-ibm) RHSA-2010:0408 2010-05-12
Red Hat Enterprise Linux 4 (openssl) RHSA-2010:0163 2010-03-25
Red Hat Enterprise Virtualization Hypervisor 5 (rhev-hypervisor) RHSA-2010:0440 2010-05-25
Red Hat JBoss Web Server 1.0 for RHEL 4 AS (httpd22) RHSA-2010:0011 2010-01-06
Red Hat JBoss Web Server 1.0 for RHEL 4 AS (xml-commons-resolver12) RHSA-2010:0119 2010-02-23
Red Hat Enterprise Linux 5 (httpd) RHSA-2009:1579 2009-11-11
Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-ibm) RHSA-2010:0807 2010-10-27
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2010:0768 2010-10-13
Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) RHSA-2010:0865 2010-11-10
Red Hat Enterprise Linux AS version 3 Extras (java-1.4.2-ibm) RHSA-2010:0155 2010-03-17
Red Hat Enterprise Linux 5 (gnutls) RHSA-2010:0166 2010-03-25
Red Hat Enterprise Linux 5 (nss) RHSA-2010:0165 2010-03-25
Red Hat Enterprise Linux 5 (openssl097a) RHSA-2010:0164 2010-03-25
Red Hat Enterprise Linux 5 (openssl) RHSA-2010:0162 2010-03-25
Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-sun) RHSA-2010:0338 2010-04-01
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2010:0987 2010-12-15
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-sun) RHSA-2010:0337 2010-04-01
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-sun) RHSA-2010:0338 2010-04-01
RHEL 5 Server for SAP (java-1.4.2-ibm-sap) RHSA-2010:0986 2010-12-15
Red Hat Enterprise Linux 4 (httpd) RHSA-2009:1580 2009-11-11
Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-sun) RHSA-2010:0337 2010-04-01
Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-ibm) RHSA-2010:0130 2010-03-03
Red Hat Enterprise Linux AS version 4 Extras (java-1.4.2-ibm) RHSA-2010:0155 2010-03-17
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2010:0987 2010-12-15
Red Hat Satellite 5.4 (RHEL v.5) (java-1.6.0-ibm) RHSA-2011:0880 2011-06-16
RHEL 4 AS for SAP (java-1.4.2-ibm-sap) RHSA-2010:0986 2010-12-15
Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-ibm) RHSA-2010:0987 2010-12-15
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-sun) RHSA-2010:0770 2010-10-14
RHEL 5 Server for SAP (java-1.4.2-ibm) RHSA-2010:0408 2010-05-12
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2009:1694 2009-12-23
Red Hat Enterprise Linux AS version 3 Extras (java-1.4.2-ibm) RHSA-2010:0786 2010-10-20
Red Hat JBoss Web Server 1.0 for RHEL 5 Server (tomcat6) RHSA-2010:0119 2010-02-23
Red Hat JBoss Web Server 1.0 for RHEL 5 Server (httpd) RHSA-2010:0011 2010-01-06
Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-ibm) RHSA-2009:1694 2009-12-23
Red Hat Enterprise Linux 3 (httpd) RHSA-2009:1579 2009-11-11
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2010:0807 2010-10-27
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2010:0130 2010-03-03
Red Hat Enterprise Linux 3 (openssl) RHSA-2010:0163 2010-03-25
Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-sun) RHSA-2010:0770 2010-10-14
Red Hat Enterprise Linux Supplementary 5 (java-1.4.2-ibm) RHSA-2010:0155 2010-03-17
Red Hat Enterprise Linux AS version 4 Extras (java-1.4.2-ibm) RHSA-2010:0786 2010-10-20
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2010:0339 2010-04-01

Affected Packages State

Platform Package State
Red Hat Enterprise Linux Supplementary 4.7.z java-1.5.0-sun 1.5.0.22-1jpp.3.el4 Fixed
Red Hat Enterprise Linux for SAP 6 java-1.4.2-ibm-sap 1.4.2.13.6.sap-1jpp.3.el6 Fixed

Last Modified