Description
Reference

CVE-2009-3555 Information

Share on:

Feb 14, 2021 cve

Description

The TLS protocol and the SSL protocol 3.0 and possibly earlier as used in Microsoft Internet Information Services (IIS) 7.0 mod_ssl in the Apache HTTP Server 2.2.14 and earlier OpenSSL before 0.9.8l GnuTLS 2.8.5 and earlier Mozilla Network Security Services (NSS) 3.12.4 and earlier multiple Cisco products and other products does not properly associate renegotiation handshakes with an existing connection which allows man-in-the-middle attackers to insert data into HTTPS sessions and possibly other types of sessions protected by TLS or SSL by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context related to a \plaintext injection\ attack aka the \Project Mogul\ issue.

Reference

http://archives.neohapsis.com/archives/bugtraq/2013-11/0120.html http://blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html http://blogs.iss.net/archive/sslmitmiscsrf.html http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during http://clicky.me/tlsvuln http://extendedsubset.com/?p=8 http://extendedsubset.com/Renegotiating_TLS.pdf http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041 http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751 http://kbase.redhat.com/faq/docs/DOC-20491 http://lists.apple.com/archives/security-announce/2010//May/msg00001.html http://lists.apple.com/archives/security-announce/2010//May/msg00002.html http://lists.apple.com/archives/security-announce/2010/Jan/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.html http://lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.html http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049455.html http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049528.html http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049702.html http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.html http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html http://marc.info/?l=apache-httpd-announce&m=125755783724966&w=2 http://marc.info/?l=bugtraq&m=126150535619567&w=2 http://marc.info/?l=bugtraq&m=127128920008563&w=2 http://marc.info/?l=bugtraq&m=127419602507642&w=2 http://marc.info/?l=bugtraq&m=127557596201693&w=2 http://marc.info/?l=bugtraq&m=130497311408250&w=2 http://marc.info/?l=bugtraq&m=132077688910227&w=2 http://marc.info/?l=bugtraq&m=133469267822771&w=2 http://marc.info/?l=bugtraq&m=134254866602253&w=2 http://marc.info/?l=bugtraq&m=142660345230545&w=2 http://marc.info/?l=cryptography&m=125752275331877&w=2 http://openbsd.org/errata45.html010_openssl http://openbsd.org/errata46.html004_openssl http://osvdb.org/60521 http://osvdb.org/60972 http://osvdb.org/62210 http://osvdb.org/65202 http://seclists.org/fulldisclosure/2009/Nov/139 http://secunia.com/advisories/37291 http://secunia.com/advisories/37292 http://secunia.com/advisories/37320 http://secunia.com/advisories/37383 http://secunia.com/advisories/37399 http://secunia.com/advisories/37453 http://secunia.com/advisories/37501 http://secunia.com/advisories/37504 http://secunia.com/advisories/37604 http://secunia.com/advisories/37640 http://secunia.com/advisories/37656 http://secunia.com/advisories/37675 http://secunia.com/advisories/37859 http://secunia.com/advisories/38003 http://secunia.com/advisories/38020 http://secunia.com/advisories/38056 http://secunia.com/advisories/38241 http://secunia.com/advisories/38484 http://secunia.com/advisories/38687 http://secunia.com/advisories/38781 http://secunia.com/advisories/39127 http://secunia.com/advisories/39136 http://secunia.com/advisories/39242 http://secunia.com/advisories/39243 http://secunia.com/advisories/39278 http://secunia.com/advisories/39292 http://secunia.com/advisories/39317 http://secunia.com/advisories/39461 http://secunia.com/advisories/39500 http://secunia.com/advisories/39628 http://secunia.com/advisories/39632 http://secunia.com/advisories/39713 http://secunia.com/advisories/39819 http://secunia.com/advisories/40070 http://secunia.com/advisories/40545 http://secunia.com/advisories/40747 http://secunia.com/advisories/40866 http://secunia.com/advisories/41480 http://secunia.com/advisories/41490 http://secunia.com/advisories/41818 http://secunia.com/advisories/41967 http://secunia.com/advisories/41972 http://secunia.com/advisories/42377 http://secunia.com/advisories/42379 http://secunia.com/advisories/42467 http://secunia.com/advisories/42724 http://secunia.com/advisories/42733 http://secunia.com/advisories/42808 http://secunia.com/advisories/42811 http://secunia.com/advisories/42816 http://secunia.com/advisories/43308 http://secunia.com/advisories/44183 http://secunia.com/advisories/44954 http://secunia.com/advisories/48577 http://security.gentoo.org/glsa/glsa-200912-01.xml http://security.gentoo.org/glsa/glsa-201203-22.xml http://security.gentoo.org/glsa/glsa-201406-32.xml http://securitytracker.com/id?1023148 http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.597446 http://sunsolve.sun.com/search/document.do?assetkey=1-26-273350-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021653.1-1 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021752.1-1 http://support.apple.com/kb/HT4004 http://support.apple.com/kb/HT4170 http://support.apple.com/kb/HT4171 http://support.avaya.com/css/P8/documents/100070150 http://support.avaya.com/css/P8/documents/100081611 http://support.avaya.com/css/P8/documents/100114315 http://support.avaya.com/css/P8/documents/100114327 http://support.citrix.com/article/CTX123359 http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released http://sysoev.ru/nginx/patch.cve-2009-3555.txt http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html http://ubuntu.com/usn/usn-923-1 http://wiki.rpath.com/Advisories:rPSA-2009-0155 http://www.arubanetworks.com/support/alerts/aid-020810.txt http://www.betanews.com/article/1257452450 http://www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml http://www.debian.org/security/2009/dsa-1934 http://www.debian.org/security/2011/dsa-2141 http://www.debian.org/security/2015/dsa-3253 http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.html http://www.ietf.org/mail-archive/web/tls/current/msg03928.html http://www.ietf.org/mail-archive/web/tls/current/msg03948.html http://www.ingate.com/Relnote.php?ver=481 http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995 http://www.kb.cert.org/vuls/id/120541 http://www.links.org/?p=780 http://www.links.org/?p=786 http://www.links.org/?p=789 http://www.mandriva.com/security/advisories?name=MDVSA-2010:076 http://www.mandriva.com/security/advisories?name=MDVSA-2010:084 http://www.mandriva.com/security/advisories?name=MDVSA-2010:089 http://www.mozilla.org/security/announce/2010/mfsa2010-22.html http://www.openoffice.org/security/cves/CVE-2009-3555.html http://www.openssl.org/news/secadv_20091111.txt http://www.openwall.com/lists/oss-security/2009/11/05/3 http://www.openwall.com/lists/oss-security/2009/11/05/5 http://www.openwall.com/lists/oss-security/2009/11/06/3 http://www.openwall.com/lists/oss-security/2009/11/07/3 http://www.openwall.com/lists/oss-security/2009/11/20/1 http://www.openwall.com/lists/oss-security/2009/11/23/10 http://www.opera.com/docs/changelogs/unix/1060/ http://www.opera.com/support/search/view/944/ http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c http://www.redhat.com/support/errata/RHSA-2010-0119.html http://www.redhat.com/support/errata/RHSA-2010-0130.html http://www.redhat.com/support/errata/RHSA-2010-0155.html http://www.redhat.com/support/errata/RHSA-2010-0165.html http://www.redhat.com/support/errata/RHSA-2010-0167.html http://www.redhat.com/support/errata/RHSA-2010-0337.html http://www.redhat.com/support/errata/RHSA-2010-0338.html http://www.redhat.com/support/errata/RHSA-2010-0339.html http://www.redhat.com/support/errata/RHSA-2010-0768.html http://www.redhat.com/support/errata/RHSA-2010-0770.html http://www.redhat.com/support/errata/RHSA-2010-0786.html http://www.redhat.com/support/errata/RHSA-2010-0807.html http://www.redhat.com/support/errata/RHSA-2010-0865.html http://www.redhat.com/support/errata/RHSA-2010-0986.html http://www.redhat.com/support/errata/RHSA-2010-0987.html http://www.redhat.com/support/errata/RHSA-2011-0880.html http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html http://www.securityfocus.com/archive/1/507952/100/0/threaded http://www.securityfocus.com/archive/1/508075/100/0/threaded http://www.securityfocus.com/archive/1/508130/100/0/threaded http://www.securityfocus.com/archive/1/515055/100/0/threaded http://www.securityfocus.com/archive/1/516397/100/0/threaded http://www.securityfocus.com/archive/1/522176 http://www.securityfocus.com/bid/36935 http://www.securitytracker.com/id?1023163 http://www.securitytracker.com/id?1023204 http://www.securitytracker.com/id?1023205 http://www.securitytracker.com/id?1023206 http://www.securitytracker.com/id?1023207 http://www.securitytracker.com/id?1023208 http://www.securitytracker.com/id?1023209 http://www.securitytracker.com/id?1023210 http://www.securitytracker.com/id?1023211 http://www.securitytracker.com/id?1023212 http://www.securitytracker.com/id?1023213 http://www.securitytracker.com/id?1023214 http://www.securitytracker.com/id?1023215 http://www.securitytracker.com/id?1023216 http://www.securitytracker.com/id?1023217 http://www.securitytracker.com/id?1023218 http://www.securitytracker.com/id?1023219 http://www.securitytracker.com/id?1023224 http://www.securitytracker.com/id?1023243 http://www.securitytracker.com/id?1023270 http://www.securitytracker.com/id?1023271 http://www.securitytracker.com/id?1023272 http://www.securitytracker.com/id?1023273 http://www.securitytracker.com/id?1023274 http://www.securitytracker.com/id?1023275 http://www.securitytracker.com/id?1023411 http://www.securitytracker.com/id?1023426 http://www.securitytracker.com/id?1023427 http://www.securitytracker.com/id?1023428 http://www.securitytracker.com/id?1024789 http://www.tombom.co.uk/blog/?p=85 http://www.ubuntu.com/usn/USN-1010-1 http://www.ubuntu.com/usn/USN-927-1 http://www.ubuntu.com/usn/USN-927-4 http://www.ubuntu.com/usn/USN-927-5 http://www.us-cert.gov/cas/techalerts/TA10-222A.html http://www.us-cert.gov/cas/techalerts/TA10-287A.html http://www.vmware.com/security/advisories/VMSA-2010-0019.html http://www.vmware.com/security/advisories/VMSA-2011-0003.html http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html http://www.vupen.com/english/advisories/2009/3164 http://www.vupen.com/english/advisories/2009/3165 http://www.vupen.com/english/advisories/2009/3205 http://www.vupen.com/english/advisories/2009/3220 http://www.vupen.com/english/advisories/2009/3310 http://www.vupen.com/english/advisories/2009/3313 http://www.vupen.com/english/advisories/2009/3353 http://www.vupen.com/english/advisories/2009/3354 http://www.vupen.com/english/advisories/2009/3484 http://www.vupen.com/english/advisories/2009/3521 http://www.vupen.com/english/advisories/2009/3587 http://www.vupen.com/english/advisories/2010/0086 http://www.vupen.com/english/advisories/2010/0173 http://www.vupen.com/english/advisories/2010/0748 http://www.vupen.com/english/advisories/2010/0848 http://www.vupen.com/english/advisories/2010/0916 http://www.vupen.com/english/advisories/2010/0933 http://www.vupen.com/english/advisories/2010/0982 http://www.vupen.com/english/advisories/2010/0994 http://www.vupen.com/english/advisories/2010/1054 http://www.vupen.com/english/advisories/2010/1107 http://www.vupen.com/english/advisories/2010/1191 http://www.vupen.com/english/advisories/2010/1350 http://www.vupen.com/english/advisories/2010/1639 http://www.vupen.com/english/advisories/2010/1673 http://www.vupen.com/english/advisories/2010/1793 http://www.vupen.com/english/advisories/2010/2010 http://www.vupen.com/english/advisories/2010/2745 http://www.vupen.com/english/advisories/2010/3069 http://www.vupen.com/english/advisories/2010/3086 http://www.vupen.com/english/advisories/2010/3126 http://www.vupen.com/english/advisories/2011/0032 http://www.vupen.com/english/advisories/2011/0033 http://www.vupen.com/english/advisories/2011/0086 http://www-01.ibm.com/support/docview.wss?uid=swg1IC67848 http://www-01.ibm.com/support/docview.wss?uid=swg1IC68054 http://www-01.ibm.com/support/docview.wss?uid=swg1IC68055 http://www-01.ibm.com/support/docview.wss?uid=swg1PM12247 http://www-01.ibm.com/support/docview.wss?uid=swg21426108 http://www-01.ibm.com/support/docview.wss?uid=swg21432298 http://www-01.ibm.com/support/docview.wss?uid=swg24006386 http://www-01.ibm.com/support/docview.wss?uid=swg24025312 http://www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=only http://xss.cx/examples/plesk-reports/plesk-parallels-controlpanel-psa.v.10.3.1_build1013110726.0920os_redhat.el6-billing-system-plugin-javascript-injection-example-poc-report.html https://bugzilla.mozilla.org/show_bug.cgi?id=526689 https://bugzilla.mozilla.org/show_bug.cgi?id=545755 https://bugzilla.redhat.com/show_bug.cgi?id=533125 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-049 https://exchange.xforce.ibmcloud.com/vulnerabilities/54158 https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888 https://kb.bluecoat.com/index?page=content&id=SA50 https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@3Cdev.tomcat.apache.org3E https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A10088 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A11578 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A11617 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A7315 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A7478 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A7973 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A8366 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A8535 https://support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00634.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01020.html https://www.redhat.com/archives/fedora-package-announce/2009-December/msg01029.html