what you don't know can hurt you
Showing 1 - 25 of 58 RSS Feed

CVE-2009-3555

Status Candidate

Overview

The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Related Files

HP Security Bulletin HPSBMU03611 1
Posted May 26, 2016
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU03611 1 - Multiple potential security vulnerabilities have been identified with the Matrix Operating Environment on Windows and Linux that could be exploited remotely resulting in Denial of Service (DoS), Unauthorized Access, Execution of arbitrary code, Cross-site scripting (XSS), Disclosure of Sensitive Information, Code Execution, and locally resulting in Cross-site Request Forgery (CSRF). Revision 1 of this advisory.

tags | advisory, denial of service, arbitrary, vulnerability, code execution, xss, csrf
systems | linux, windows
advisories | CVE-2009-3555, CVE-2014-3508, CVE-2014-3509, CVE-2014-3511, CVE-2014-3513, CVE-2014-3567, CVE-2014-3568, CVE-2014-3569, CVE-2015-0205, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3194, CVE-2015-3195, CVE-2015-6565, CVE-2015-7501, CVE-2016-0705, CVE-2016-0799, CVE-2016-2017, CVE-2016-2018, CVE-2016-2019, CVE-2016-2020, CVE-2016-2021, CVE-2016-2022, CVE-2016-2026, CVE-2016-2027
SHA-256 | 07f921689053d6bedbb8e1f9fc233c8b5f70902577e1ef3c8ec264ef9e30544e
Debian Security Advisory 3253-1
Posted May 8, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3253-1 - Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.

tags | advisory, web, vulnerability, protocol
systems | linux, debian
advisories | CVE-2009-3555, CVE-2012-4929, CVE-2014-3566
SHA-256 | 09deb636c70138068c014c0f9575be8db21fe581187a43aab3741e4a8320f77f
HP Security Bulletin HPSBHF03293
Posted Mar 18, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBHF03293 1 - Potential security vulnerabilities have been identified with HP Virtual Connect 8Gb 24-Port FC Module running OpenSSL and Bash including heartbleed, padding oracle, and shellshock issues. Revision 1 of this advisory.

tags | advisory, vulnerability, bash
advisories | CVE-2009-3555, CVE-2014-0160, CVE-2014-0195, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-3566, CVE-2014-5139
SHA-256 | 30d1ba0b92a93958f1b541914c45bffd10181d46e5a162699dcd2c22a93f67c4
Gentoo Linux Security Advisory 201406-32
Posted Jun 30, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201406-32 - Multiple vulnerabilities have been found in the IcedTea JDK, the worst of which could lead to arbitrary code execution. Versions less than 6.1.13.3 are affected.

tags | advisory, arbitrary, vulnerability, code execution
systems | linux, gentoo
advisories | CVE-2009-3555, CVE-2010-2548, CVE-2010-2783, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3551, CVE-2010-3553, CVE-2010-3554, CVE-2010-3557, CVE-2010-3561, CVE-2010-3562, CVE-2010-3564, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3573, CVE-2010-3574, CVE-2010-3860, CVE-2010-4351, CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4467, CVE-2010-4469, CVE-2010-4470
SHA-256 | 090fb98b78d165daf38005d744a51c041e7041bc82e7280894ff7c9447061a32
Gentoo Linux Security Advisory 201311-13
Posted Nov 20, 2013
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201311-13 - Multiple vulnerabilities have been found in OpenVPN, allowing remote attackers to read encrypted traffic. Versions less than 2.3.1 are affected.

tags | advisory, remote, vulnerability
systems | linux, gentoo
advisories | CVE-2009-3555, CVE-2013-2061
SHA-256 | d2f81af3f93b9da61e7132428ea1952938c2cc2f98696e6c78aa0f34389ff15f
Gentoo Linux Security Advisory 201309-15
Posted Sep 24, 2013
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201309-15 - Multiple vulnerabilities have been found in ProFTPD, the worst of which leading to remote execution of arbitrary code. Versions less than 1.3.4d are affected.

tags | advisory, remote, arbitrary, vulnerability
systems | linux, gentoo
advisories | CVE-2009-3555, CVE-2010-3867, CVE-2010-4221, CVE-2010-4652, CVE-2011-1137, CVE-2011-4130, CVE-2012-6095, CVE-2013-4359
SHA-256 | 791bb06b4102a706095adc46d590ae0b5ea0a225e56966180f59fa840c1de6d2
Mandriva Linux Security Advisory 2013-019
Posted Mar 8, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-019 - A flaw was found in the way the TLS/SSL (Transport Layer Security/Secure Sockets Layer) protocols handled session renegotiation. A man-in-the-middle attacker could use this flaw to prefix arbitrary plain text to a client's session (for example, an HTTPS connection to a website. This could force the server to process an attacker's request as if authenticated using the victim's credentials. This update addresses this flaw by implementing the TLS Renegotiation Indication Extension, as defined in RFC 5746. The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. The updated packages have been patched to correct these issues.

tags | advisory, remote, web, arbitrary, protocol
systems | linux, mandriva
advisories | CVE-2009-3555, CVE-2013-1619
SHA-256 | 0aa58a05023ecaae15a6d536a958775447e0d5df7c99b2a7e6c3cf316869b997
Debian Security Advisory 2626-1
Posted Feb 18, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2626-1 - Several vulnerabilities were discovered in the TLS/SSL protocol. This update addresses these protocol vulnerabilities in lighttpd.

tags | advisory, vulnerability, protocol
systems | linux, debian
advisories | CVE-2009-3555, CVE-2012-4929
SHA-256 | 5e292e8e54175e8e00b461c7e8f7fe9612ce8efb84127e0f77aa67d27dba9078
HP Security Bulletin HPSBMU02799 SSRT100867
Posted Jul 17, 2012
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU02799 SSRT100867 - Potential security vulnerabilities have been identified with HP Network Node Manager I (NNMi) running JDK for HP-UX, Linux, Solaris, and Windows. The vulnerabilities could be remotely exploited resulting in unauthorized information disclosure, modification, Denial of Service (DoS). Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability, info disclosure
systems | linux, windows, solaris, hpux
advisories | CVE-2009-3555, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840
SHA-256 | af5aa7411f209bd1b8e376b060609e532e0a6cc8c62657e0f3d48fc012d4cba4
Gentoo Linux Security Advisory 201206-18
Posted Jun 23, 2012
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201206-18 - Multiple vulnerabilities have been found in GnuTLS, allowing a remote attacker to perform man-in-the-middle or Denial of Service attacks. Versions less than 2.12.18 are affected.

tags | advisory, remote, denial of service, vulnerability
systems | linux, gentoo
advisories | CVE-2009-2730, CVE-2009-3555, CVE-2011-4128, CVE-2012-1573
SHA-256 | c75c8a7a91c5efaf8a508739dcbabd15dd3969086e8b5d633124183f164ef053
HP Security Bulletin HPSBOV02762 SSRT100825
Posted Apr 17, 2012
Authored by HP | Site hp.com

HP Security Bulletin HPSBOV02762 SSRT100825 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running CSWS_JAVA. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, privilege escalation, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.

tags | advisory, web, denial of service, vulnerability
advisories | CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3548, CVE-2009-3555, CVE-2010-1157, CVE-2010-4476, CVE-2011-1184, CVE-2011-2204, CVE-2011-2526, CVE-2011-2729, CVE-2011-3190
SHA-256 | 7aea36aed5246255765866fa3709a5b96e6e0350e5b8bf65bfd2aaf3d2eddf7e
HP Security Bulletin HPSBMU02759 SSRT100817
Posted Apr 5, 2012
Authored by HP | Site hp.com

HP Security Bulletin HPSBMU02759 SSRT100817 - Potential security vulnerabilities have been identified with HP Onboard Administrator (OA). The vulnerabilities could be exploited remotely resulting in unauthorized access, unauthorized information disclosure, Denial of Service (DoS), and URL redirection. Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability, info disclosure
advisories | CVE-2008-7270, CVE-2009-3555, CVE-2012-0128, CVE-2012-0129, CVE-2012-0130
SHA-256 | 6ad7ba2c48944ee744e96cf3ef0e46c12152365e66984731869ed2c5c3e97ec0
Gentoo Linux Security Advisory 201203-22
Posted Mar 29, 2012
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201203-22 - Multiple vulnerabilities have been found in nginx, the worst of which may allow execution of arbitrary code. Versions less than 1.0.14 are affected.

tags | advisory, arbitrary, vulnerability
systems | linux, gentoo
advisories | CVE-2009-3555, CVE-2009-3896, CVE-2009-3898, CVE-2011-4315, CVE-2012-1180
SHA-256 | f87c96395672de20fa8e80bda814a5583d65f85d89b5d206217a8fec55270448
HP Security Bulletin HPSBHF02706 SSRT100613
Posted Nov 9, 2011
Authored by HP | Site hp.com

HP Security Bulletin HPSBHF02706 SSRT100613 - Potential security vulnerabilities have been identified with HP Integrated Lights-Out iLO2 and iLO3 running SSL/TLS. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS) or unauthorized modification. Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability
advisories | CVE-2008-7270, CVE-2009-3555, CVE-2010-4180
SHA-256 | d4eea79f2c68bc01af2e1e5a79c2d8ef8db67b1660446a519fdd89b2a16d9828
THC SSL Denial Of Service Tool 1.4 Windows Version
Posted Oct 24, 2011
Authored by thc | Site thc.org

THC-SSL-DOS is tool to stress test the SSL handshake by triggering processor intensive RSA_encrypt() calls on the server side. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via a single TCP connection. Windows binary version.

tags | exploit, tool, denial of service, tcp
systems | windows
advisories | CVE-2009-3555
SHA-256 | ec82cd6af4177e4a8b85e8a626ee51b84eae5e08cf6958418b50d517c68148c9
THC SSL Denial Of Service Tool 1.4
Posted Oct 24, 2011
Authored by thc | Site thc.org

THC-SSL-DOS is tool to stress test the SSL handshake by triggering processor intensive RSA_encrypt() calls on the server side. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet. This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via a single TCP connection.

tags | exploit, tool, denial of service, tcp
systems | unix
advisories | CVE-2009-3555
SHA-256 | ed7020c0275df347123a0b49a345aa44b2ec9b2ac9b1471870303b8b95c7ef87
Gentoo Linux Security Advisory 201110-05
Posted Oct 10, 2011
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201110-5 - Multiple vulnerabilities were found in GnuTLS, allowing for easier man-in-the-middle attacks. Versions less than 2.10.0 are affected.

tags | advisory, vulnerability
systems | linux, gentoo
advisories | CVE-2009-2730, CVE-2009-3555
SHA-256 | 3545aa8d55f2bf105713aa28ad3ddad8c8ca7f796307b025bb1255abe43b0827
Red Hat Security Advisory 2011-0880-01
Posted Jun 17, 2011
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2011-0880-01 - This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Network Satellite 5.4.1. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment. Detailed vulnerability descriptions are linked from the IBM "Security alerts" page, listed in the References section. Various other issues were also addressed.

tags | advisory, java, vulnerability
systems | linux, redhat
advisories | CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3553, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3560, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3568, CVE-2010-3569, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4452, CVE-2010-4454
SHA-256 | 23e57d99b78195d5d080dfd7d6831e809d977086b9839464c667dc791c8b7697
HP Security Bulletin HPSBOV02683 SSRT090208
Posted May 10, 2011
Authored by HP | Site hp.com

HP Security Bulletin HPSBOV02683 SSRT090208 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running Apache and PHP. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.

tags | advisory, web, denial of service, php, vulnerability
advisories | CVE-2002-0839, CVE-2002-0840, CVE-2003-0542, CVE-2004-0492, CVE-2005-2491, CVE-2005-3352, CVE-2005-3357, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-3747, CVE-2006-3918, CVE-2006-4339, CVE-2006-4343, CVE-2007-5000, CVE-2007-6388, CVE-2008-0005, CVE-2009-1891, CVE-2009-3095, CVE-2009-3291, CVE-2009-3292, CVE-2009-3293, CVE-2009-3555, CVE-2010-0010
SHA-256 | a7638da01e18d2a3d9c6e84728556bb08fdb00082b9c904826eb85aa31a5870d
Debian Security Advisory 2161-2
Posted Feb 14, 2011
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2161-2 - It was discovered that the floating point parser in OpenJDK, an implementation of the Java platform, can enter an infinite loop when processing certain input strings. Such input strings represent valid numbers and can be contained in data supplied by an attacker over the network, leading to a denial-of-service attack.

tags | advisory, java
systems | linux, debian
advisories | CVE-2010-4476, CVE-2009-3555
SHA-256 | a0ded925baff43a07590b4642526803be3c5f43236df53cf34ee4a2b37a08de7
VMware Security Advisory 2011-0003
Posted Feb 11, 2011
Authored by VMware | Site vmware.com

VMware Security Advisory 2011-0003 - Update 1 for vCenter Server 4.1, vCenter Update Manager 4.1, vSphere Hypervisor (ESXi) 4.1, ESXi 4.1, addresses several security issues.

tags | advisory
advisories | CVE-2008-0085, CVE-2008-0086, CVE-2008-0106, CVE-2008-0107, CVE-2008-3825, CVE-2008-5416, CVE-2009-1384, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3548, CVE-2009-3555, CVE-2009-4308, CVE-2010-0003, CVE-2010-0007, CVE-2010-0008, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095
SHA-256 | a95e2afdac2f371dde546f60106ef87c8a8060a48b0bed878681c1eba5041ffe
Debian Security Advisory 2141-4
Posted Jan 13, 2011
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2141-4 - The openssl update in DSA-2141-1 caused a regression in lighttpd. Due to a bug in lighttpd, the server fails to start in some configurations if using the updated openssl libraries. This update fixes this problem.

tags | advisory
systems | linux, debian
advisories | CVE-2009-3555
SHA-256 | 6d8bf518952bb36182005427e9e1ac90e6b3e956a42a79dda732a59c8ea917f8
VMware Security Advisory 2010-0019
Posted Dec 8, 2010
Authored by VMware | Site vmware.com

VMware Security Advisory 2010-0019 - ESX 3.x Console OS (COS) updates for samba, bzip2, and openssl packages.

tags | advisory
advisories | CVE-2009-0590, CVE-2009-2409, CVE-2009-3555, CVE-2010-0405, CVE-2010-3069
SHA-256 | 53508d995bd3ee7696e115312bf6f130857171310cf94855d6fe67fca9362f8a
Ubuntu Security Notice 1010-1
Posted Oct 29, 2010
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1010-1 - Various openjdk issues have been addressed. Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. It was discovered that the HttpURLConnection class did not validate request headers set by java applets, which could allow an attacker to trigger actions otherwise not allowed to HTTP clients. It was discovered that JNDI could leak information that would allow an attacker to to access information about otherwise-protected internal network names. It was discovered that HttpURLConnection improperly handled the "chunked" transfer encoding method, which could allow attackers to conduct HTTP response splitting attacks. It was discovered that the NetworkInterface class improperly checked the network "connect" permissions for local network addresses. Various other issues were discovered and addressed.

tags | advisory, java, web, local, protocol
systems | linux, ubuntu
advisories | CVE-2009-3555, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3551, CVE-2010-3553, CVE-2010-3554, CVE-2010-3557, CVE-2010-3561, CVE-2010-3562, CVE-2010-3564, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3573, CVE-2010-3574
SHA-256 | dbf842de06300f7667099150cb0e617a4a3656e900e4a73d6bc01c5ed06a9df2
VMware Security Advisory 2010-0015
Posted Sep 30, 2010
Authored by VMware | Site vmware.com

VMware Security Advisory 2010-0015 - ESX 4.0 Console OS (COS) updates for NSS_db, OpenLDAP, cURL, sudo OpenSSL, GnuTLS, NSS and NSPR packages.

tags | advisory
advisories | CVE-2009-2409, CVE-2009-3245, CVE-2009-3555, CVE-2009-3767, CVE-2010-0433, CVE-2010-0734, CVE-2010-0826, CVE-2010-1646
SHA-256 | fdad8c6c91e0eabfe81a21d19d5f5d5ed52fdc1c4de978eea683eae1e3131b79
Page 1 of 3
Back123Next

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close