CVE-2009-2409

Severity

51%

Complexity

49%

Confidentiality

106%

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

CVSS 2.0 Base Score 5.1. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:P).

Overview

First reported 15 years ago

2009-07-30 19:30:00

Last updated 6 years ago

2018-10-10 19:40:00

Affected Software

OpenSSL Project OpenSSL 0.9.8

0.9.8

OpenSSL Project OpenSSL 0.9.8a

0.9.8a

OpenSSL Project OpenSSL 0.9.8b

0.9.8b

OpenSSL Project OpenSSL 0.9.8c

0.9.8c

OpenSSL Project OpenSSL 0.9.8d

0.9.8d

OpenSSL Project OpenSSL 0.9.8e

0.9.8e

OpenSSL Project OpenSSL 0.9.8f

0.9.8f

OpenSSL Project OpenSSL 0.9.8g

0.9.8g

OpenSSL Project OpenSSL 0.9.8h

0.9.8h

OpenSSL Project OpenSSL 0.9.8i

0.9.8i

OpenSSL Project OpenSSL 0.9.8j

0.9.8j

OpenSSL Project OpenSSL 0.9.8k

0.9.8k

GNU GnuTLS 1.0.16

1.0.16

GNU GnuTLS 1.0.17

1.0.17

GNU GnuTLS 1.0.18

1.0.18

GNU GnuTLS 1.0.19

1.0.19

GNU GnuTLS 1.0.20

1.0.20

GNU GnuTLS 1.0.21

1.0.21

GNU GnuTLS 1.0.22

1.0.22

GNU GnuTLS 1.0.23

1.0.23

GNU GnuTLS 1.0.24

1.0.24

GNU GnuTLS 1.0.25

1.0.25

GNU GnuTLS 1.1.13

1.1.13

GNU GnuTLS 1.1.14

1.1.14

GNU GnuTLS 1.1.15

1.1.15

GNU GnuTLS 1.1.16

1.1.16

GNU GnuTLS 1.1.17

1.1.17

GNU GnuTLS 1.1.18

1.1.18

GNU GnuTLS 1.1.19

1.1.19

GNU GnuTLS 1.1.20

1.1.20

GNU GnuTLS 1.1.21

1.1.21

GNU GnuTLS 1.1.22

1.1.22

GNU GnuTLS 1.1.23

1.1.23

GNU GnuTLS 1.2.0

1.2.0

GNU GnuTLS 1.2.1

1.2.1

GNU GnuTLS 1.2.2

1.2.2

GNU GnuTLS 1.2.3

1.2.3

GNU GnuTLS 1.2.4

1.2.4

GNU GnuTLS 1.2.5

1.2.5

GNU GnuTLS 1.2.6

1.2.6

GNU GnuTLS 1.2.7

1.2.7

GNU GnuTLS 1.2.8

1.2.8

GNU GnuTLS 1.2.8.1a1

1.2.8.1a1

GNU GnuTLS 1.2.9

1.2.9

GNU GnuTLS 1.2.10

1.2.10

GNU GnuTLS 1.2.11

1.2.11

GNU GnuTLS 1.3.0

1.3.0

GNU GnuTLS 1.3.1

1.3.1

GNU GnuTLS 1.3.2

1.3.2

GNU GnuTLS 1.3.3

1.3.3

GNU GnuTLS 1.3.4

1.3.4

GNU GnuTLS 1.3.5

1.3.5

GNU GnuTLS 1.4.0

1.4.0

GNU GnuTLS 1.4.1

1.4.1

GNU GnuTLS 1.4.2

1.4.2

GNU GnuTLS 1.4.3

1.4.3

GNU GnuTLS 1.4.4

1.4.4

GNU GnuTLS 1.4.5

1.4.5

GNU GnuTLS 1.5.0

1.5.0

GNU GnuTLS 1.5.1

1.5.1

GNU GnuTLS 1.5.2

1.5.2

GNU GnuTLS 1.5.3

1.5.3

GNU GnuTLS 1.5.4

1.5.4

GNU GnuTLS 1.5.5

1.5.5

GNU GnuTLS 1.6.0

1.6.0

GNU GnuTLS 1.6.1

1.6.1

GNU GnuTLS 1.6.2

1.6.2

GNU GnuTLS 1.6.3

1.6.3

GNU GnuTLS 1.7.0

1.7.0

GNU GnuTLS 1.7.1

1.7.1

GNU GnuTLS 1.7.2

1.7.2

GNU GnuTLS 1.7.3

1.7.3

GNU GnuTLS 1.7.4

1.7.4

GNU GnuTLS 1.7.5

1.7.5

GNU GnuTLS 1.7.6

1.7.6

GNU GnuTLS 1.7.7

1.7.7

GNU GnuTLS 1.7.8

1.7.8

GNU GnuTLS 1.7.9

1.7.9

GNU GnuTLS 1.7.10

1.7.10

GNU GnuTLS 1.7.11

1.7.11

GNU GnuTLS 1.7.12

1.7.12

GNU GnuTLS 1.7.13

1.7.13

GNU GnuTLS 1.7.14

1.7.14

GNU GnuTLS 1.7.15

1.7.15

GNU GnuTLS 1.7.16

1.7.16

GNU GnuTLS 1.7.17

1.7.17

GNU GnuTLS 1.7.18

1.7.18

GNU GnuTLS 1.7.19

1.7.19

GNU GnuTLS 2.0.0

2.0.0

GNU GnuTLS 2.0.1

2.0.1

GNU GnuTLS 2.0.2

2.0.2

GNU GnuTLS 2.0.3

2.0.3

GNU GnuTLS 2.0.4

2.0.4

GNU GnuTLS 2.1.0

2.1.0

GNU GnuTLS 2.1.1

2.1.1

GNU GnuTLS 2.1.2

2.1.2

GNU GnuTLS 2.1.3

2.1.3

GNU GnuTLS 2.1.4

2.1.4

GNU GnuTLS 2.1.5

2.1.5

GNU GnuTLS 2.1.6

2.1.6

GNU GnuTLS 2.1.7

2.1.7

GNU GnuTLS 2.1.8

2.1.8

GNU GnuTLS 2.2.0

2.2.0

GNU GnuTLS 2.2.1

2.2.1

GNU GnuTLS 2.2.2

2.2.2

GNU GnuTLS 2.2.3

2.2.3

GNU GnuTLS 2.2.4

2.2.4

GNU GnuTLS 2.2.5

2.2.5

GNU GnuTLS 2.3.0

2.3.0

GNU GnuTLS 2.3.1

2.3.1

GNU GnuTLS 2.3.2

2.3.2

GNU GnuTLS 2.3.3

2.3.3

GNU GnuTLS 2.3.4

2.3.4

GNU GnuTLS 2.3.5

2.3.5

GNU GnuTLS 2.3.6

2.3.6

GNU GnuTLS 2.3.7

2.3.7

GNU GnuTLS 2.3.8

2.3.8

GNU GnuTLS 2.3.9

2.3.9

GNU GnuTLS 2.3.10

2.3.10

GNU GnuTLS 2.3.11

2.3.11

GNU GnuTLS 2.4.0

2.4.0

GNU GnuTLS 2.4.1

2.4.1

GNU GnuTLS 2.4.2

2.4.2

GNU GnuTLS 2.5.0

2.5.0

GNU GnuTLS 2.6.0

2.6.0

GNU GnuTLS 2.6.1

2.6.1

GNU GnuTLS 2.6.2

2.6.2

GNU GnuTLS

GNU GnuTLS 2.7.4

2.7.4

References

http://java.sun.com/j2se/1.5.0/ReleaseNotes.html

Patch

http://java.sun.com/javase/6/webnotes/6u17.html

APPLE-SA-2009-11-09-1

Vendor Advisory

36139

Vendor Advisory

36157

Vendor Advisory

36434

Vendor Advisory

36669

36739

Vendor Advisory

37386

Vendor Advisory

42467

Vendor Advisory

GLSA-200911-02

GLSA-200912-01

http://support.apple.com/kb/HT3937

DSA-1874

MDVSA-2009:197

MDVSA-2009:216

MDVSA-2009:258

MDVSA-2010:084

RHSA-2009:1207

RHSA-2009:1432

20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console

1022631

USN-810-1

http://www.vmware.com/security/advisories/VMSA-2010-0019.html

ADV-2009-2085

Vendor Advisory

ADV-2009-3184

Vendor Advisory

ADV-2010-3126

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409

[syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released

[syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released

oval:org.mitre.oval:def:10763

oval:org.mitre.oval:def:6631

oval:org.mitre.oval:def:7155

oval:org.mitre.oval:def:8594

RHSA-2010:0095

USN-810-2

DSA-1888

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.