CVE-2009-1377
Summary
| CVE | CVE-2009-1377 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-05-19 19:30:00 UTC |
| Updated | 2022-02-02 15:07:00 UTC |
| Description | The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug." |
Risk And Classification
Problem Types: CWE-119
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Openssl | Openssl | All | All | All | All |
| Application | Openssl | Openssl | 0.9.8 | - | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta1 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta2 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta3 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta4 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta5 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta6 | All | All |
| Application | Openssl | Openssl | 0.9.8a | All | All | All |
| Application | Openssl | Openssl | 0.9.8b | All | All | All |
| Application | Openssl | Openssl | 0.9.8c | All | All | All |
| Application | Openssl | Openssl | 0.9.8c-1 | All | All | All |
| Application | Openssl | Openssl | 0.9.8d | All | All | All |
| Application | Openssl | Openssl | 0.9.8e | All | All | All |
| Application | Openssl | Openssl | 0.9.8f | All | All | All |
| Application | Openssl | Openssl | 0.9.8g | All | All | All |
| Application | Openssl | Openssl | 0.9.8g-9 | All | All | All |
| Application | Openssl | Openssl | 0.9.8h | All | All | All |
| Application | Openssl | Openssl | 0.9.8i | All | All | All |
| Application | Openssl | Openssl | 0.9.8j | All | All | All |
| Application | Openssl | Openssl | 0.9.8k | All | All | All |
| Application | Openssl | Openssl | All | All | All | All |
| Application | Openssl | Openssl | 0.9.8a | All | All | All |
| Application | Openssl | Openssl | 0.9.8b | All | All | All |
| Application | Openssl | Openssl | 0.9.8c | All | All | All |
| Application | Openssl | Openssl | 0.9.8d | All | All | All |
| Application | Openssl | Openssl | 0.9.8e | All | All | All |
| Application | Openssl | Openssl | 0.9.8f | All | All | All |
| Application | Openssl | Openssl | 0.9.8g | All | All | All |
| Application | Openssl | Openssl | 0.9.8h | All | All | All |
| Application | Openssl | Openssl | 0.9.8i | All | All | All |
| Application | Openssl | Openssl | 0.9.8j | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-9 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| kb.bluecoat.com/index | CONFIRM | kb.bluecoat.com | |
| Support / Security / Advisories / / MDVSA-2009:120 | Mandriva | MANDRIVA | www.mandriva.com | |
| HPSBMA02492 SSRT100079 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access - c02029444 - HP Business Support Center | HP | h20000.www2.hp.com | |
| VooDoo cIRCle security advisory 20091012-01 | CONFIRM | voodoo-circle.sourceforge.net | |
| Ubuntu update for openssl - Secunia.com | SECUNIA | secunia.com | |
| #1930: [PATCH] DTLS record buffer limitation bug | CONFIRM | rt.openssl.org | Patch |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | |
| About Secunia Research | Flexera | SECUNIA | secunia.com | |
| Fedora update for openssl - Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| oss-security - Two OpenSSL DTLS remote DoS | MLIST | www.openwall.com | |
| OpenSSL DTLS Denial of Service Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | Vendor Advisory |
| About Secunia Research | Flexera | SECUNIA | secunia.com | |
| Page not found - SourceForge.net | CONFIRM | sourceforge.net | |
| Gentoo Linux Documentation -- OpenSSL: Multiple vulnerabilities | GENTOO | security.gentoo.org | |
| OpenSSL DTLS Packets Multiple Denial of Service Vulnerabilities | BID | www.securityfocus.com | |
| CVE-2009-1377 | MISC | launchpad.net | |
| Slackware update for openssl - Advisories - Community | SECUNIA | secunia.com | |
| SUSE Update for Multiple Packages - Advisories - Community | SECUNIA | secunia.com | |
| NetBSD update for openssl - Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | |
| NetBSD-SA2009-009 | NETBSD | ftp.netbsd.org | |
| '[openssl.org #1930] [PATCH] DTLS record buffer limitation bug' - MARC | MLIST | marc.info | Patch |
| SecurityTracker.com Archives - OpenSSL DTLS Processing Bugs Let Users Deny Service | SECTRACK | www.securitytracker.com | |
| VMware vMA Update for Multiple Packages - Advisories - Community | SECUNIA | secunia.com | |
| VooDoo cIRCle OpenSSL DTLS Denial of Service Vulnerabilities - Secunia.com | SECUNIA | secunia.com | |
| The Slackware Linux Project: Slackware Security Advisories | SLACKWARE | slackware.com | |
| cvs.openssl.org/chngview | CONFIRM | cvs.openssl.org | Patch |
| Support | REDHAT | www.redhat.com | |
| [Security-announce] VMSA-2010-0004 ESX Service Console and vMA third party updates | MLIST | lists.vmware.com | |
| USN-792-1: OpenSSL vulnerabilities | Ubuntu | UBUNTU | www.ubuntu.com | |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | |
| VMware ESX Server 4 Multiple Vulnerabilities - Advisories - Community | SECUNIA | secunia.com | |
| [security-announce] SUSE Security Summary Report: SUSE-SR:2009:011 | SUSE | lists.opensuse.org | |
| Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|---|---|---|
| Red Hat | 2009-09-02 | Tomas Hoger | This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. |
Legacy QID Mappings
- 390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)