Vulnerability Details : CVE-2009-3245
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
Products affected by CVE-2009-3245
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8h:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2009-3245
19.55%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 95 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2009-3245
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2009-3245
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-3245
-
Red Hat 2010-03-25Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3245 This issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0162.html This issue was fixed in openssl096b packages in Red Hat Enterprise Linux 3 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0173.html The Red Hat Security Response Team has rated this issue as having low security impact on openssl packages in Red Hat Enterprise Linux 3 and 4, a future update may address this flaw.
References for CVE-2009-3245
-
http://www.vupen.com/english/advisories/2010/0916
Webmail | OVH- OVH
-
http://marc.info/?l=openssl-cvs&m=126692170906712&w=2
'[CVS] OpenSSL: openssl/crypto/bn/ bn_div.c bn_gf2m.c openssl/crypto/ec...' - MARCPatch
-
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:013
-
http://secunia.com/advisories/39461
Sign in
-
http://marc.info/?l=openssl-cvs&m=126692159706582&w=2
'[CVS] OpenSSL: OpenSSL_1_0_0-stable: openssl/crypto/bn/ bn_div.c bn_gf...' - MARCPatch
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11738
404 Not Found
-
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html
[SECURITY] Fedora 13 Update: openssl-1.0.0-1.fc13
-
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049
The Slackware Linux Project: Slackware Security Advisories
-
http://www.vupen.com/english/advisories/2010/0839
Webmail | OVH- OVH
-
http://www.securityfocus.com/bid/38562
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9790
404 Not Found
-
http://support.apple.com/kb/HT4723
About the security content of Mac OS X v10.6.8 and Security Update 2011-004 - Apple Support
-
http://marc.info/?l=bugtraq&m=127678688104458&w=2
'[security bulletin] HPSBOV02540 SSRT090249 rev.1 - HP SSL for OpenVMS, Remote Unauthorized Data Inje' - MARC
-
https://kb.bluecoat.com/index?page=content&id=SA50
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:076
mandriva.com
-
http://secunia.com/advisories/38761
About Secunia Research | FlexeraVendor Advisory
-
http://secunia.com/advisories/39932
Sign in
-
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html
-
http://marc.info/?l=openssl-cvs&m=126692180606861&w=2
'[CVS] OpenSSL: OpenSSL_0_9_8-stable: openssl/ CHANGES openssl/crypto/b...' - MARCPatch
-
http://secunia.com/advisories/37291
About Secunia Research | Flexera
-
http://www.redhat.com/support/errata/RHSA-2010-0977.html
Support
-
http://www.vupen.com/english/advisories/2010/1216
Webmail | OVH- OVH
-
http://marc.info/?l=bugtraq&m=127128920008563&w=2
'[security bulletin] HPSBUX02517 SSRT100058 rev.1 - HP-UX Running OpenSSL, Remote Unauthorized Inform' - MARC
-
http://secunia.com/advisories/42724
Runtime Error
-
http://www.ubuntu.com/usn/USN-1003-1
USN-1003-1: OpenSSL vulnerabilities | Ubuntu security notices
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html
[SECURITY] Fedora 11 Update: openssl-0.9.8n-1.fc11
-
http://secunia.com/advisories/42733
Runtime Error
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6640
404 Not Found
-
http://www.vupen.com/english/advisories/2010/0933
Webmail | OVH- OVH
-
http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html
Apple - Lists.apple.com
-
http://www.redhat.com/support/errata/RHSA-2011-0896.html
Support
-
http://packetstormsecurity.com/files/153392/ABB-HMI-Outdated-Software-Components.html
ABB HMI Outdated Software Components ≈ Packet Storm
Jump to