CVE-2009-2409

Name: CVE-2009-2409
Creator: NVD / NIST
Published: 2009-07-30T19:30:00.343+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 4.51%

Last modified Jun 16, 2026

CVE-2009-2409 is a vulnerability of currently unknown severity. The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.. EPSS estimates a 4.51% chance of exploitation in the next 30 days.

Description

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

Metrics

EPSS Probability

4.51%

90.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-295

Affected Software

Vendor	Product	Versions
Gnu	Gnutls	< 2.6.4
Gnu	Gnutls	>= 2.7.0, < 2.7.4
Mozilla	Network Security Services	< 3.12.3
Openssl	Openssl	>= 0.9.8, <= 0.9.8k

References

http://java.sun.com/j2se/1.5.0/ReleaseNotes.htmlPatch
http://java.sun.com/javase/6/webnotes/6u17.htmlRelease Notes
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.htmlVendor Advisory
http://secunia.com/advisories/36139Vendor Advisory
http://secunia.com/advisories/36157Vendor Advisory
http://secunia.com/advisories/36434Vendor Advisory
http://secunia.com/advisories/36669Not Applicable
http://secunia.com/advisories/36739Not Applicable
http://secunia.com/advisories/37386Not Applicable
http://secunia.com/advisories/42467Not Applicable
http://security.gentoo.org/glsa/glsa-200911-02.xmlThird Party Advisory
http://security.gentoo.org/glsa/glsa-200912-01.xmlThird Party Advisory
http://support.apple.com/kb/HT3937Broken Link
http://www.debian.org/security/2009/dsa-1874Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2009:258Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084Not Applicable
http://www.redhat.com/support/errata/RHSA-2009-1207.htmlThird Party Advisory
http://www.redhat.com/support/errata/RHSA-2009-1432.htmlThird Party Advisory
http://www.securityfocus.com/archive/1/515055/100/0/threadedBroken Link
http://www.securitytracker.com/id?1022631Broken Link
http://www.ubuntu.com/usn/usn-810-1Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2010-0019.htmlThird Party Advisory
http://www.vupen.com/english/advisories/2009/2085Vendor Advisory
http://www.vupen.com/english/advisories/2009/3184Vendor Advisory
http://www.vupen.com/english/advisories/2010/3126Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409Third Party Advisory
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.htmlThird Party Advisory
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.htmlThird Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10763Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6631Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7155Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8594Broken Link
https://rhn.redhat.com/errata/RHSA-2010-0095.htmlThird Party Advisory
https://usn.ubuntu.com/810-2/Broken Link
https://www.debian.org/security/2009/dsa-1888Mailing List, Third Party Advisory
http://java.sun.com/j2se/1.5.0/ReleaseNotes.htmlPatch
http://java.sun.com/javase/6/webnotes/6u17.htmlRelease Notes
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.htmlVendor Advisory
http://secunia.com/advisories/36139Vendor Advisory
http://secunia.com/advisories/36157Vendor Advisory
http://secunia.com/advisories/36434Vendor Advisory
http://secunia.com/advisories/36669Not Applicable
http://secunia.com/advisories/36739Not Applicable
http://secunia.com/advisories/37386Not Applicable
http://secunia.com/advisories/42467Not Applicable
http://security.gentoo.org/glsa/glsa-200911-02.xmlThird Party Advisory
http://security.gentoo.org/glsa/glsa-200912-01.xmlThird Party Advisory
http://support.apple.com/kb/HT3937Broken Link
http://www.debian.org/security/2009/dsa-1874Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2009:216Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2009:258Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2010:084Not Applicable
http://www.redhat.com/support/errata/RHSA-2009-1207.htmlThird Party Advisory
http://www.redhat.com/support/errata/RHSA-2009-1432.htmlThird Party Advisory
http://www.securityfocus.com/archive/1/515055/100/0/threadedBroken Link
http://www.securitytracker.com/id?1022631Broken Link
http://www.ubuntu.com/usn/usn-810-1Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2010-0019.htmlThird Party Advisory
http://www.vupen.com/english/advisories/2009/2085Vendor Advisory
http://www.vupen.com/english/advisories/2009/3184Vendor Advisory
http://www.vupen.com/english/advisories/2010/3126Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409Third Party Advisory
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.htmlThird Party Advisory
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.htmlThird Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10763Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6631Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7155Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8594Broken Link
https://rhn.redhat.com/errata/RHSA-2010-0095.htmlThird Party Advisory
https://usn.ubuntu.com/810-2/Broken Link
https://www.debian.org/security/2009/dsa-1888Mailing List, Third Party Advisory

Timeline

Published: Jul 30, 2009
Last Modified: Jun 16, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2009-2409?

How severe is CVE-2009-2409?

Severity scoring for CVE-2009-2409 is pending analysis. The EPSS model estimates a 4.51% probability of exploitation in the next 30 days.

How do I fix CVE-2009-2409?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2009-2409?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST