Vulnerability Details : CVE-2009-1379
Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2009-1379
- cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-1379
11.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-1379
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2009-1379
-
Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-1379
-
Red Hat 2009-09-02This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl.
References for CVE-2009-1379
-
http://www.redhat.com/support/errata/RHSA-2009-1335.html
Support
-
http://rt.openssl.org/Ticket/Display.html?id=1923&user=guest&pass=guest
Exploit
-
http://www.vupen.com/english/advisories/2010/0528
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
-
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:011 - openSUSE Security Announce - openSUSE Mailing Lists
-
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
502 Bad Gateway
-
http://www.securitytracker.com/id?1022241
GoDaddy Domain Name Search
-
http://www.ubuntu.com/usn/USN-792-1
USN-792-1: OpenSSL vulnerabilities | Ubuntu security notices | Ubuntu
-
http://www.openwall.com/lists/oss-security/2009/05/18/4
oss-security - Re: Two OpenSSL DTLS remote DoS
-
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc
-
https://launchpad.net/bugs/cve/2009-1379
CVE-2009-1379
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6848
404 Not Found
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049
The Slackware Linux Project: Slackware Security Advisories
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9744
404 Not Found
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/50661
OpenSSL dtls1_retrieve_buffered_fragment denial of service CVE-2009-1379 Vulnerability Report
-
https://kb.bluecoat.com/index?page=content&id=SA50
-
http://www.securityfocus.com/bid/35138
-
http://security.gentoo.org/glsa/glsa-200912-01.xml
OpenSSL: Multiple vulnerabilities (GLSA 200912-01) — Gentoo security
-
http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html
VooDoo cIRCle security advisory 20091012-01
-
http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net
Page not found - SourceForge.net
-
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
-
http://www.vupen.com/english/advisories/2009/1377
Webmail: access your OVH emails on ovhcloud.com | OVHcloud
Jump to