CVE-2009-3555
CRITICALCVSS 9.8/10EPSS 87.26%
Last modified
CVE-2009-3555 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.. EPSS estimates a 87.26% chance of exploitation in the next 30 days.
Description
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | <= 2.2.14 |
| Gnu | Gnutls | <= 2.8.5 |
| Mozilla | Nss | <= 3.12.4 |
| Openssl | Openssl | <= 0.9.8k |
| Openssl | Openssl | 1.0 |
| Canonical | Ubuntu Linux | 8.04 |
| Canonical | Ubuntu Linux | 8.10 |
| Canonical | Ubuntu Linux | 9.04 |
| Canonical | Ubuntu Linux | 9.10 |
| Canonical | Ubuntu Linux | 10.04 |
| Canonical | Ubuntu Linux | 10.10 |
| Debian | Debian Linux | 4.0 |
| Debian | Debian Linux | 5.0 |
| Debian | Debian Linux | 6.0 |
| Debian | Debian Linux | 7.0 |
| Debian | Debian Linux | 8.0 |
| Fedoraproject | Fedora | 11 |
| Fedoraproject | Fedora | 12 |
| Fedoraproject | Fedora | 13 |
| Fedoraproject | Fedora | 14 |
| F5 | Nginx | >= 0.1.0, <= 0.8.22 |
References
- http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.htmlThird Party Advisory
- http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_duringThird Party Advisory
- http://clicky.me/tlsvulnExploit, Third Party Advisory
- http://extendedsubset.com/?p=8Broken Link
- http://kbase.redhat.com/faq/docs/DOC-20491Third Party Advisory
- http://lists.apple.com/archives/security-announce/2010//May/msg00001.htmlMailing List, Third Party Advisory
- http://lists.apple.com/archives/security-announce/2010//May/msg00002.htmlMailing List, Third Party Advisory
- http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.htmlThird Party Advisory
- http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.htmlThird Party Advisory
- http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=126150535619567&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=127128920008563&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=127419602507642&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=127557596201693&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=130497311408250&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=132077688910227&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=133469267822771&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=134254866602253&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=142660345230545&w=2Third Party Advisory
- http://marc.info/?l=cryptography&m=125752275331877&w=2Third Party Advisory
- http://openbsd.org/errata45.html#010_opensslThird Party Advisory
- http://openbsd.org/errata46.html#004_opensslThird Party Advisory
- http://osvdb.org/60521Broken Link
- http://osvdb.org/60972Broken Link
- http://osvdb.org/62210Broken Link
- http://osvdb.org/65202Broken Link
- http://seclists.org/fulldisclosure/2009/Nov/139Mailing List, Third Party Advisory
- http://secunia.com/advisories/37291Third Party Advisory
- http://secunia.com/advisories/37292Third Party Advisory
- http://secunia.com/advisories/37320Third Party Advisory
- http://secunia.com/advisories/37383Third Party Advisory
- http://secunia.com/advisories/37399Third Party Advisory
- http://secunia.com/advisories/37453Third Party Advisory
- http://secunia.com/advisories/37501Third Party Advisory
- http://secunia.com/advisories/37504Third Party Advisory
- http://secunia.com/advisories/37604Third Party Advisory
- http://secunia.com/advisories/37640Third Party Advisory
- http://secunia.com/advisories/37656Third Party Advisory
- http://secunia.com/advisories/37675Third Party Advisory
- http://secunia.com/advisories/37859Third Party Advisory
- http://secunia.com/advisories/38003Third Party Advisory
- http://secunia.com/advisories/38020Third Party Advisory
- http://secunia.com/advisories/38056Third Party Advisory
- http://secunia.com/advisories/38241Third Party Advisory
- http://secunia.com/advisories/38484Third Party Advisory
- http://secunia.com/advisories/38687Third Party Advisory
- http://secunia.com/advisories/38781Third Party Advisory
- http://secunia.com/advisories/39127Third Party Advisory
- http://secunia.com/advisories/39136Third Party Advisory
- http://secunia.com/advisories/39242Third Party Advisory
- http://secunia.com/advisories/39243Third Party Advisory
- http://secunia.com/advisories/39278Third Party Advisory
- http://secunia.com/advisories/39292Third Party Advisory
- http://secunia.com/advisories/39317Third Party Advisory
- http://secunia.com/advisories/39461Third Party Advisory
- http://secunia.com/advisories/39500Third Party Advisory
- http://secunia.com/advisories/39628Third Party Advisory
- http://secunia.com/advisories/39632Third Party Advisory
- http://secunia.com/advisories/39713Third Party Advisory
- http://secunia.com/advisories/39819Third Party Advisory
- http://secunia.com/advisories/40070Third Party Advisory
- http://secunia.com/advisories/40545Third Party Advisory
- http://secunia.com/advisories/40747Third Party Advisory
- http://secunia.com/advisories/40866Third Party Advisory
- http://secunia.com/advisories/41480Third Party Advisory
- http://secunia.com/advisories/41490Third Party Advisory
- http://secunia.com/advisories/41818Third Party Advisory
- http://secunia.com/advisories/41967Third Party Advisory
- http://secunia.com/advisories/41972Third Party Advisory
- http://secunia.com/advisories/42377Third Party Advisory
- http://secunia.com/advisories/42379Third Party Advisory
- http://secunia.com/advisories/42467Third Party Advisory
- http://secunia.com/advisories/42724Third Party Advisory
- http://secunia.com/advisories/42733Third Party Advisory
- http://secunia.com/advisories/42808Third Party Advisory
- http://secunia.com/advisories/42811Third Party Advisory
- http://secunia.com/advisories/42816Third Party Advisory
- http://secunia.com/advisories/43308Third Party Advisory
- http://secunia.com/advisories/44183Third Party Advisory
- http://secunia.com/advisories/44954Third Party Advisory
- http://secunia.com/advisories/48577Third Party Advisory
- http://security.gentoo.org/glsa/glsa-200912-01.xmlThird Party Advisory
- http://security.gentoo.org/glsa/glsa-201203-22.xmlThird Party Advisory
- http://security.gentoo.org/glsa/glsa-201406-32.xmlThird Party Advisory
- http://securitytracker.com/id?1023148Third Party Advisory, VDB Entry
- http://support.apple.com/kb/HT4004Third Party Advisory
- http://support.apple.com/kb/HT4170Third Party Advisory
- http://support.apple.com/kb/HT4171Third Party Advisory
- http://support.avaya.com/css/P8/documents/100070150Third Party Advisory
- http://support.avaya.com/css/P8/documents/100081611Third Party Advisory
- http://support.avaya.com/css/P8/documents/100114315Third Party Advisory
- http://support.avaya.com/css/P8/documents/100114327Third Party Advisory
- http://support.citrix.com/article/CTX123359Third Party Advisory
- http://ubuntu.com/usn/usn-923-1Third Party Advisory
- http://wiki.rpath.com/Advisories:rPSA-2009-0155Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC68054Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC68055Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21426108Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21432298Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg24006386Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg24025312Third Party Advisory
- http://www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=onlyThird Party Advisory
- http://www.betanews.com/article/1257452450Third Party Advisory
- http://www.debian.org/security/2009/dsa-1934Third Party Advisory
- http://www.debian.org/security/2011/dsa-2141Third Party Advisory
- http://www.debian.org/security/2015/dsa-3253Third Party Advisory
- http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.htmlThird Party Advisory
- http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.htmlThird Party Advisory
- http://www.ietf.org/mail-archive/web/tls/current/msg03928.htmlThird Party Advisory
- http://www.ietf.org/mail-archive/web/tls/current/msg03948.htmlThird Party Advisory
- http://www.ingate.com/Relnote.php?ver=481Third Party Advisory
- http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995Third Party Advisory
- http://www.kb.cert.org/vuls/id/120541Third Party Advisory, US Government Resource
- http://www.links.org/?p=780Third Party Advisory
- http://www.links.org/?p=786Third Party Advisory
- http://www.links.org/?p=789Third Party Advisory
- http://www.mozilla.org/security/announce/2010/mfsa2010-22.htmlThird Party Advisory
- http://www.openoffice.org/security/cves/CVE-2009-3555.htmlThird Party Advisory
- http://www.openssl.org/news/secadv_20091111.txtThird Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/05/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/05/5Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/06/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/07/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/20/1Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/23/10Mailing List, Third Party Advisory
- http://www.opera.com/docs/changelogs/unix/1060/Third Party Advisory
- http://www.opera.com/support/search/view/944/Third Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0119.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0130.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0155.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0165.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0167.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0337.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0338.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0339.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0768.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0770.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0786.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0807.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0865.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0986.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0987.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0880.htmlThird Party Advisory
- http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.htmlThird Party Advisory
- http://www.securityfocus.com/archive/1/507952/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/508075/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/508130/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/515055/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/516397/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/522176Third Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/36935Exploit, Patch, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023163Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023204Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023205Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023206Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023207Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023208Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023209Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023210Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023211Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023212Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023213Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023214Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023215Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023216Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023217Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023218Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023219Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023224Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023243Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023270Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023271Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023272Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023273Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023274Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023275Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023411Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023426Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023427Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023428Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1024789Third Party Advisory, VDB Entry
- http://www.tombom.co.uk/blog/?p=85Broken Link
- http://www.ubuntu.com/usn/USN-1010-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-927-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-927-4Third Party Advisory
- http://www.ubuntu.com/usn/USN-927-5Third Party Advisory
- http://www.us-cert.gov/cas/techalerts/TA10-222A.htmlThird Party Advisory, US Government Resource
- http://www.us-cert.gov/cas/techalerts/TA10-287A.htmlThird Party Advisory, US Government Resource
- http://www.vmware.com/security/advisories/VMSA-2010-0019.htmlThird Party Advisory
- http://www.vmware.com/security/advisories/VMSA-2011-0003.htmlThird Party Advisory
- http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.htmlThird Party Advisory
- http://www.vupen.com/english/advisories/2009/3164Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3165Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3205Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3220Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3310Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3313Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3353Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3354Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3484Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3521Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3587Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0086Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0173Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0748Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0848Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0916Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0933Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0982Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0994Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1054Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1107Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1191Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1350Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1639Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1673Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1793Third Party Advisory
- http://www.vupen.com/english/advisories/2010/2010Third Party Advisory
- http://www.vupen.com/english/advisories/2010/2745Third Party Advisory
- http://www.vupen.com/english/advisories/2010/3069Third Party Advisory
- http://www.vupen.com/english/advisories/2010/3086Third Party Advisory
- http://www.vupen.com/english/advisories/2010/3126Third Party Advisory
- http://www.vupen.com/english/advisories/2011/0032Third Party Advisory
- http://www.vupen.com/english/advisories/2011/0033Third Party Advisory
- http://www.vupen.com/english/advisories/2011/0086Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=526689Issue Tracking, Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=545755Issue Tracking, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=533125Issue Tracking, Third Party Advisory
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-049Patch, Vendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54158Third Party Advisory, VDB Entry
- https://kb.bluecoat.com/index?page=content&id=SA50Third Party Advisory
- https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.htmlThird Party Advisory
- http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.htmlThird Party Advisory
- http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_duringThird Party Advisory
- http://clicky.me/tlsvulnExploit, Third Party Advisory
- http://extendedsubset.com/?p=8Broken Link
- http://kbase.redhat.com/faq/docs/DOC-20491Third Party Advisory
- http://lists.apple.com/archives/security-announce/2010//May/msg00001.htmlMailing List, Third Party Advisory
- http://lists.apple.com/archives/security-announce/2010//May/msg00002.htmlMailing List, Third Party Advisory
- http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.htmlThird Party Advisory
- http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.htmlThird Party Advisory
- http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=126150535619567&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=127128920008563&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=127419602507642&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=127557596201693&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=130497311408250&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=132077688910227&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=133469267822771&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=134254866602253&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=142660345230545&w=2Third Party Advisory
- http://marc.info/?l=cryptography&m=125752275331877&w=2Third Party Advisory
- http://openbsd.org/errata45.html#010_opensslThird Party Advisory
- http://openbsd.org/errata46.html#004_opensslThird Party Advisory
- http://osvdb.org/60521Broken Link
- http://osvdb.org/60972Broken Link
- http://osvdb.org/62210Broken Link
- http://osvdb.org/65202Broken Link
- http://seclists.org/fulldisclosure/2009/Nov/139Mailing List, Third Party Advisory
- http://secunia.com/advisories/37291Third Party Advisory
- http://secunia.com/advisories/37292Third Party Advisory
- http://secunia.com/advisories/37320Third Party Advisory
- http://secunia.com/advisories/37383Third Party Advisory
- http://secunia.com/advisories/37399Third Party Advisory
- http://secunia.com/advisories/37453Third Party Advisory
- http://secunia.com/advisories/37501Third Party Advisory
- http://secunia.com/advisories/37504Third Party Advisory
- http://secunia.com/advisories/37604Third Party Advisory
- http://secunia.com/advisories/37640Third Party Advisory
- http://secunia.com/advisories/37656Third Party Advisory
- http://secunia.com/advisories/37675Third Party Advisory
- http://secunia.com/advisories/37859Third Party Advisory
- http://secunia.com/advisories/38003Third Party Advisory
- http://secunia.com/advisories/38020Third Party Advisory
- http://secunia.com/advisories/38056Third Party Advisory
- http://secunia.com/advisories/38241Third Party Advisory
- http://secunia.com/advisories/38484Third Party Advisory
- http://secunia.com/advisories/38687Third Party Advisory
- http://secunia.com/advisories/38781Third Party Advisory
- http://secunia.com/advisories/39127Third Party Advisory
- http://secunia.com/advisories/39136Third Party Advisory
- http://secunia.com/advisories/39242Third Party Advisory
- http://secunia.com/advisories/39243Third Party Advisory
- http://secunia.com/advisories/39278Third Party Advisory
- http://secunia.com/advisories/39292Third Party Advisory
- http://secunia.com/advisories/39317Third Party Advisory
- http://secunia.com/advisories/39461Third Party Advisory
- http://secunia.com/advisories/39500Third Party Advisory
- http://secunia.com/advisories/39628Third Party Advisory
- http://secunia.com/advisories/39632Third Party Advisory
- http://secunia.com/advisories/39713Third Party Advisory
- http://secunia.com/advisories/39819Third Party Advisory
- http://secunia.com/advisories/40070Third Party Advisory
- http://secunia.com/advisories/40545Third Party Advisory
- http://secunia.com/advisories/40747Third Party Advisory
- http://secunia.com/advisories/40866Third Party Advisory
- http://secunia.com/advisories/41480Third Party Advisory
- http://secunia.com/advisories/41490Third Party Advisory
- http://secunia.com/advisories/41818Third Party Advisory
- http://secunia.com/advisories/41967Third Party Advisory
- http://secunia.com/advisories/41972Third Party Advisory
- http://secunia.com/advisories/42377Third Party Advisory
- http://secunia.com/advisories/42379Third Party Advisory
- http://secunia.com/advisories/42467Third Party Advisory
- http://secunia.com/advisories/42724Third Party Advisory
- http://secunia.com/advisories/42733Third Party Advisory
- http://secunia.com/advisories/42808Third Party Advisory
- http://secunia.com/advisories/42811Third Party Advisory
- http://secunia.com/advisories/42816Third Party Advisory
- http://secunia.com/advisories/43308Third Party Advisory
- http://secunia.com/advisories/44183Third Party Advisory
- http://secunia.com/advisories/44954Third Party Advisory
- http://secunia.com/advisories/48577Third Party Advisory
- http://security.gentoo.org/glsa/glsa-200912-01.xmlThird Party Advisory
- http://security.gentoo.org/glsa/glsa-201203-22.xmlThird Party Advisory
- http://security.gentoo.org/glsa/glsa-201406-32.xmlThird Party Advisory
- http://securitytracker.com/id?1023148Third Party Advisory, VDB Entry
- http://support.apple.com/kb/HT4004Third Party Advisory
- http://support.apple.com/kb/HT4170Third Party Advisory
- http://support.apple.com/kb/HT4171Third Party Advisory
- http://support.avaya.com/css/P8/documents/100070150Third Party Advisory
- http://support.avaya.com/css/P8/documents/100081611Third Party Advisory
- http://support.avaya.com/css/P8/documents/100114315Third Party Advisory
- http://support.avaya.com/css/P8/documents/100114327Third Party Advisory
- http://support.citrix.com/article/CTX123359Third Party Advisory
- http://ubuntu.com/usn/usn-923-1Third Party Advisory
- http://wiki.rpath.com/Advisories:rPSA-2009-0155Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC68054Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1IC68055Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21426108Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21432298Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg24006386Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg24025312Third Party Advisory
- http://www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=onlyThird Party Advisory
- http://www.betanews.com/article/1257452450Third Party Advisory
- http://www.debian.org/security/2009/dsa-1934Third Party Advisory
- http://www.debian.org/security/2011/dsa-2141Third Party Advisory
- http://www.debian.org/security/2015/dsa-3253Third Party Advisory
- http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.htmlThird Party Advisory
- http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.htmlThird Party Advisory
- http://www.ietf.org/mail-archive/web/tls/current/msg03928.htmlThird Party Advisory
- http://www.ietf.org/mail-archive/web/tls/current/msg03948.htmlThird Party Advisory
- http://www.ingate.com/Relnote.php?ver=481Third Party Advisory
- http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995Third Party Advisory
- http://www.kb.cert.org/vuls/id/120541Third Party Advisory, US Government Resource
- http://www.links.org/?p=780Third Party Advisory
- http://www.links.org/?p=786Third Party Advisory
- http://www.links.org/?p=789Third Party Advisory
- http://www.mozilla.org/security/announce/2010/mfsa2010-22.htmlThird Party Advisory
- http://www.openoffice.org/security/cves/CVE-2009-3555.htmlThird Party Advisory
- http://www.openssl.org/news/secadv_20091111.txtThird Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/05/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/05/5Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/06/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/07/3Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/20/1Mailing List, Third Party Advisory
- http://www.openwall.com/lists/oss-security/2009/11/23/10Mailing List, Third Party Advisory
- http://www.opera.com/docs/changelogs/unix/1060/Third Party Advisory
- http://www.opera.com/support/search/view/944/Third Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0119.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0130.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0155.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0165.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0167.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0337.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0338.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0339.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0768.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0770.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0786.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0807.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0865.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0986.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0987.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0880.htmlThird Party Advisory
- http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.htmlThird Party Advisory
- http://www.securityfocus.com/archive/1/507952/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/508075/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/508130/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/515055/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/516397/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/522176Third Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/36935Exploit, Patch, Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023163Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023204Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023205Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023206Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023207Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023208Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023209Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023210Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023211Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023212Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023213Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023214Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023215Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023216Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023217Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023218Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023219Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023224Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023243Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023270Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023271Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023272Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023273Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023274Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023275Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023411Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023426Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023427Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1023428Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id?1024789Third Party Advisory, VDB Entry
- http://www.tombom.co.uk/blog/?p=85Broken Link
- http://www.ubuntu.com/usn/USN-1010-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-927-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-927-4Third Party Advisory
- http://www.ubuntu.com/usn/USN-927-5Third Party Advisory
- http://www.us-cert.gov/cas/techalerts/TA10-222A.htmlThird Party Advisory, US Government Resource
- http://www.us-cert.gov/cas/techalerts/TA10-287A.htmlThird Party Advisory, US Government Resource
- http://www.vmware.com/security/advisories/VMSA-2010-0019.htmlThird Party Advisory
- http://www.vmware.com/security/advisories/VMSA-2011-0003.htmlThird Party Advisory
- http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.htmlThird Party Advisory
- http://www.vupen.com/english/advisories/2009/3164Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3165Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3205Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3220Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3310Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3313Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3353Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3354Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3484Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3521Third Party Advisory
- http://www.vupen.com/english/advisories/2009/3587Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0086Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0173Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0748Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0848Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0916Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0933Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0982Third Party Advisory
- http://www.vupen.com/english/advisories/2010/0994Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1054Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1107Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1191Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1350Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1639Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1673Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1793Third Party Advisory
- http://www.vupen.com/english/advisories/2010/2010Third Party Advisory
- http://www.vupen.com/english/advisories/2010/2745Third Party Advisory
- http://www.vupen.com/english/advisories/2010/3069Third Party Advisory
- http://www.vupen.com/english/advisories/2010/3086Third Party Advisory
- http://www.vupen.com/english/advisories/2010/3126Third Party Advisory
- http://www.vupen.com/english/advisories/2011/0032Third Party Advisory
- http://www.vupen.com/english/advisories/2011/0033Third Party Advisory
- http://www.vupen.com/english/advisories/2011/0086Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=526689Issue Tracking, Third Party Advisory
- https://bugzilla.mozilla.org/show_bug.cgi?id=545755Issue Tracking, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=533125Issue Tracking, Third Party Advisory
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-049Patch, Vendor Advisory
- https://exchange.xforce.ibmcloud.com/vulnerabilities/54158Third Party Advisory, VDB Entry
- https://kb.bluecoat.com/index?page=content&id=SA50Third Party Advisory
- https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.htmlThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2009-3555?
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
How severe is CVE-2009-3555?
CVE-2009-3555 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 87.26% probability of exploitation in the next 30 days.
How do I fix CVE-2009-3555?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2009-3555?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST