Skip to navigation

CVE Database

CVE-2009-3555

Impact: Moderate
Public: 2009-11-05
Bugzilla: 533125: CVE-2009-3555 TLS: MITM attacks via session renegotiation
IAVA: 2012-B-0038

Details

The MITRE CVE dictionary describes this issue as:

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Find out more about CVE-2009-3555 from the MITRE CVE dictionary and NIST NVD.

Statement

Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555

Additional information can be found in the Red Hat Knowledgebase article:
http://kbase.redhat.com/faq/docs/DOC-20491

CVSS v2 metrics

Base Score: 4.3
Base Metrics: AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Vector: Network
Access Complexity: Medium
Authentication: None
Confidentiality Impact: None
Integrity Impact: Partial
Availability Impact: None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat security errata

Platform Errata Release Date
RHEL 4 AS for SAP (java-1.4.2-ibm) RHSA-2010:0408 May 12, 2010
RHEL 4 AS for SAP (java-1.4.2-ibm-sap) RHSA-2010:0986 December 15, 2010
RHEL 5 Server for SAP (java-1.4.2-ibm) RHSA-2010:0408 May 12, 2010
RHEL 5 Server for SAP (java-1.4.2-ibm-sap) RHSA-2010:0986 December 15, 2010
RHEV Hypervisor for RHEL-5 (rhev-hypervisor) RHSA-2010:0440 May 25, 2010
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.4.2-ibm) RHSA-2010:0155 March 17, 2010
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.4.2-ibm) RHSA-2010:0786 October 20, 2010
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.5.0-ibm) RHSA-2010:0130 March 03, 2010
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.5.0-ibm) RHSA-2010:0807 October 27, 2010
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.5.0-sun) RHSA-2010:0338 April 01, 2010
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.6.0-ibm) RHSA-2009:1694 December 23, 2009
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.6.0-ibm) RHSA-2010:0987 December 15, 2010
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.6.0-sun) RHSA-2010:0337 April 01, 2010
Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.6.0-sun) RHSA-2010:0770 October 14, 2010
Red Hat Enterprise Linux Supplementary version 6 (java-1.6.0-ibm) RHSA-2010:0987 December 15, 2010
Red Hat Enterprise Linux version 3 (httpd) RHSA-2009:1579 November 11, 2009
Red Hat Enterprise Linux version 3 (openssl) RHSA-2010:0163 March 25, 2010
Red Hat Enterprise Linux version 3 Extras (java-1.4.2-ibm) RHSA-2010:0155 March 17, 2010
Red Hat Enterprise Linux version 3 Extras (java-1.4.2-ibm) RHSA-2010:0786 October 20, 2010
Red Hat Enterprise Linux version 4 RHSA-2010:0165 March 25, 2010
Red Hat Enterprise Linux version 4 (gnutls) RHSA-2010:0167 March 25, 2010
Red Hat Enterprise Linux version 4 (httpd) RHSA-2009:1580 November 11, 2009
Red Hat Enterprise Linux version 4 (openssl) RHSA-2010:0163 March 25, 2010
Red Hat Enterprise Linux version 4 Extras (java-1.4.2-ibm) RHSA-2010:0155 March 17, 2010
Red Hat Enterprise Linux version 4 Extras (java-1.4.2-ibm) RHSA-2010:0786 October 20, 2010
Red Hat Enterprise Linux version 4 Extras (java-1.5.0-ibm) RHSA-2010:0130 March 03, 2010
Red Hat Enterprise Linux version 4 Extras (java-1.5.0-ibm) RHSA-2010:0807 October 27, 2010
Red Hat Enterprise Linux version 4 Extras (java-1.5.0-sun) RHSA-2010:0338 April 01, 2010
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-ibm) RHSA-2009:1694 December 23, 2009
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-ibm) RHSA-2010:0987 December 15, 2010
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-sun) RHSA-2010:0337 April 01, 2010
Red Hat Enterprise Linux version 4 Extras (java-1.6.0-sun) RHSA-2010:0770 October 14, 2010
Red Hat Enterprise Linux version 5 RHSA-2010:0165 March 25, 2010
Red Hat Enterprise Linux version 5 (gnutls) RHSA-2010:0166 March 25, 2010
Red Hat Enterprise Linux version 5 (httpd) RHSA-2009:1579 November 11, 2009
Red Hat Enterprise Linux version 5 (java-1.6.0-openjdk) RHSA-2010:0339 April 01, 2010
Red Hat Enterprise Linux version 5 (java-1.6.0-openjdk) RHSA-2010:0768 October 13, 2010
Red Hat Enterprise Linux version 5 (openssl) RHSA-2010:0162 March 25, 2010
Red Hat Enterprise Linux version 5 (openssl097a) RHSA-2010:0164 March 25, 2010
Red Hat Enterprise Linux version 6 (java-1.6.0-openjdk) RHSA-2010:0865 November 10, 2010
Red Hat JBoss Web Server 1.0 for RHEL 4 AS RHSA-2010:0119 February 23, 2010
Red Hat JBoss Web Server 1.0 for RHEL 4 AS (httpd22) RHSA-2010:0011 January 06, 2010
Red Hat JBoss Web Server 1.0 for RHEL 5 Server RHSA-2010:0119 February 23, 2010
Red Hat JBoss Web Server 1.0 for RHEL 5 Server (httpd) RHSA-2010:0011 January 06, 2010
Red Hat Satellite 5.4 (RHEL v.5) (java-1.6.0-ibm) RHSA-2011:0880 June 16, 2011

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact the Red Hat Security Response Team.