CVE-2009-3555
The MITRE CVE dictionary describes this issue as:
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Find out more about CVE-2009-3555 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Red Hat is aware of this issue and is tracking it via the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555
Additional information can be found in the Red Hat Knowledgebase article:
http://kbase.redhat.com/faq/docs/DOC-20491
CVSS v2 metrics
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux Supplementary 5 (java-1.4.2-ibm) | RHSA-2010:0786 | 2010-10-20 |
| Red Hat Enterprise Linux 4 | RHSA-2010:0165 | 2010-03-25 |
| Red Hat Enterprise Linux 4 (gnutls) | RHSA-2010:0167 | 2010-03-25 |
| RHEL 4 AS for SAP (java-1.4.2-ibm) | RHSA-2010:0408 | 2010-05-12 |
| Red Hat Enterprise Linux 4 (openssl) | RHSA-2010:0163 | 2010-03-25 |
| Red Hat Enterprise Virtualization Hypervisor 5 (rhev-hypervisor) | RHSA-2010:0440 | 2010-05-25 |
| Red Hat JBoss Web Server 1.0 for RHEL 4 AS (httpd22) | RHSA-2010:0011 | 2010-01-06 |
| Red Hat JBoss Web Server 1.0 for RHEL 4 AS | RHSA-2010:0119 | 2010-02-23 |
| Red Hat Enterprise Linux 5 (httpd) | RHSA-2009:1579 | 2009-11-11 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-ibm) | RHSA-2010:0807 | 2010-10-27 |
| Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) | RHSA-2010:0768 | 2010-10-13 |
| Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) | RHSA-2010:0865 | 2010-11-10 |
| Red Hat Enterprise Linux AS version 3 Extras (java-1.4.2-ibm) | RHSA-2010:0155 | 2010-03-17 |
| Red Hat Enterprise Linux 5 (gnutls) | RHSA-2010:0166 | 2010-03-25 |
| Red Hat Enterprise Linux 5 | RHSA-2010:0165 | 2010-03-25 |
| Red Hat Enterprise Linux 5 (openssl097a) | RHSA-2010:0164 | 2010-03-25 |
| Red Hat Enterprise Linux 5 (openssl) | RHSA-2010:0162 | 2010-03-25 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-sun) | RHSA-2010:0338 | 2010-04-01 |
| Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) | RHSA-2010:0987 | 2010-12-15 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-sun) | RHSA-2010:0337 | 2010-04-01 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-sun) | RHSA-2010:0338 | 2010-04-01 |
| RHEL 5 Server for SAP (java-1.4.2-ibm-sap) | RHSA-2010:0986 | 2010-12-15 |
| Red Hat Enterprise Linux 4 (httpd) | RHSA-2009:1580 | 2009-11-11 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-sun) | RHSA-2010:0337 | 2010-04-01 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.5.0-ibm) | RHSA-2010:0130 | 2010-03-03 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.4.2-ibm) | RHSA-2010:0155 | 2010-03-17 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) | RHSA-2010:0987 | 2010-12-15 |
| Red Hat Satellite 5.4 (RHEL v.5) (java-1.6.0-ibm) | RHSA-2011:0880 | 2011-06-16 |
| RHEL 4 AS for SAP (java-1.4.2-ibm-sap) | RHSA-2010:0986 | 2010-12-15 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-ibm) | RHSA-2010:0987 | 2010-12-15 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-sun) | RHSA-2010:0770 | 2010-10-14 |
| RHEL 5 Server for SAP (java-1.4.2-ibm) | RHSA-2010:0408 | 2010-05-12 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) | RHSA-2009:1694 | 2009-12-23 |
| Red Hat Enterprise Linux for SAP 6 (java-1.4.2-ibm-sap) | RHSA-2010:0986 | 2010-12-15 |
| Red Hat Enterprise Linux AS version 3 Extras (java-1.4.2-ibm) | RHSA-2010:0786 | 2010-10-20 |
| Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server | RHSA-2010:0119 | 2010-02-23 |
| Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server | RHSA-2010:0011 | 2010-01-06 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-ibm) | RHSA-2009:1694 | 2009-12-23 |
| Red Hat Enterprise Linux 3 (httpd) | RHSA-2009:1579 | 2009-11-11 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) | RHSA-2010:0807 | 2010-10-27 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) | RHSA-2010:0130 | 2010-03-03 |
| Red Hat Enterprise Linux 3 (openssl) | RHSA-2010:0163 | 2010-03-25 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.6.0-sun) | RHSA-2010:0770 | 2010-10-14 |
| Red Hat Enterprise Linux Supplementary 5 (java-1.4.2-ibm) | RHSA-2010:0155 | 2010-03-17 |
| Red Hat Enterprise Linux AS version 4 Extras (java-1.4.2-ibm) | RHSA-2010:0786 | 2010-10-20 |
| Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) | RHSA-2010:0339 | 2010-04-01 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 6 | pulp | Will not fix |
CVE description copyright © 2017, The MITRE Corporation