Vulnerability Details : CVE-2009-1377
The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."
Vulnerability category: Denial of service
Products affected by CVE-2009-1377
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-1377
4.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-1377
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2009-1377
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-1377
-
Red Hat 2009-09-02This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl.
References for CVE-2009-1377
-
http://secunia.com/advisories/35571
About Secunia Research | FlexeraThird Party Advisory
-
http://secunia.com/advisories/35729
About Secunia Research | FlexeraThird Party Advisory
-
http://marc.info/?l=openssl-dev&m=124247675613888&w=2
'[openssl.org #1930] [PATCH] DTLS record buffer limitation bug' - MARCMailing List;Patch;Third Party Advisory
-
http://www.mandriva.com/security/advisories?name=MDVSA-2009:120
MandrivaBroken Link
-
http://www.redhat.com/support/errata/RHSA-2009-1335.html
SupportThird Party Advisory
-
http://cvs.openssl.org/chngview?cn=18187
Broken Link;Patch;Third Party Advisory
-
http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest
Broken Link;Mailing List;Patch;Third Party Advisory
-
http://secunia.com/advisories/35461
About Secunia Research | FlexeraThird Party Advisory
-
http://www.vupen.com/english/advisories/2010/0528
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPermissions Required;Third Party Advisory
-
http://secunia.com/advisories/37003
About Secunia Research | FlexeraThird Party Advisory
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9663
404 Not FoundTool Signature
-
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:011 - openSUSE Security Announce - openSUSE Mailing ListsThird Party Advisory
-
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
502 Bad GatewayThird Party Advisory
-
http://www.securitytracker.com/id?1022241
GoDaddy Domain Name SearchThird Party Advisory;VDB Entry
-
http://www.ubuntu.com/usn/USN-792-1
USN-792-1: OpenSSL vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2009/05/18/1
oss-security - Two OpenSSL DTLS remote DoSMailing List
-
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc
Broken Link;Third Party Advisory
-
http://secunia.com/advisories/38794
About Secunia Research | FlexeraThird Party Advisory
-
http://secunia.com/advisories/36533
About Secunia Research | FlexeraThird Party Advisory
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049
The Slackware Linux Project: Slackware Security AdvisoriesMailing List;Third Party Advisory
-
https://kb.bluecoat.com/index?page=content&id=SA50
Broken Link
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6683
404 Not FoundTool Signature
-
http://secunia.com/advisories/38761
About Secunia Research | FlexeraThird Party Advisory
-
http://secunia.com/advisories/38834
About Secunia Research | FlexeraThird Party Advisory
-
http://secunia.com/advisories/35416
About Secunia Research | FlexeraThird Party Advisory
-
http://security.gentoo.org/glsa/glsa-200912-01.xml
OpenSSL: Multiple vulnerabilities (GLSA 200912-01) — Gentoo securityThird Party Advisory
-
http://secunia.com/advisories/42724
Runtime ErrorThird Party Advisory
-
http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html
VooDoo cIRCle security advisory 20091012-01Third Party Advisory
-
http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net
Page not found - SourceForge.netBroken Link
-
http://www.securityfocus.com/bid/35001
Third Party Advisory;VDB Entry
-
http://secunia.com/advisories/42733
Runtime ErrorThird Party Advisory
-
https://launchpad.net/bugs/cve/2009-1377
CVE-2009-1377Third Party Advisory
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
Broken Link;Third Party Advisory
-
http://secunia.com/advisories/35128
About Secunia Research | FlexeraThird Party Advisory;Vendor Advisory
-
http://www.vupen.com/english/advisories/2009/1377
Webmail: access your OVH emails on ovhcloud.com | OVHcloudPermissions Required;Third Party Advisory
Jump to