CVE-2009-1378
Summary
| CVE | CVE-2009-1378 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-05-19 19:30:00 UTC |
| Updated | 2026-04-23 00:35:47 UTC |
| Description | Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak." |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
NoneIntegrity
NoneAvailability
PartialAV:N/AC:L/Au:N/C:N/I:N/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 6.06 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 8.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 8.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 9.04 | All | All | All |
| Application | Openssl | Openssl | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Slackware update for openssl - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Permissions Required, Third Party Advisory |
| ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc | af854a3a-2127-422b-91ae-364da2661108 | ftp.netbsd.org | Broken Link, Third Party Advisory |
| cvs.openssl.org/chngview | af854a3a-2127-422b-91ae-364da2661108 | cvs.openssl.org | Broken Link, Patch, Vendor Advisory |
| VooDoo cIRCle OpenSSL DTLS Denial of Service Vulnerabilities - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| Ubuntu update for openssl - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| Gentoo Linux Documentation -- OpenSSL: Multiple vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | Third Party Advisory |
| oss-security - Two OpenSSL DTLS remote DoS | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| '[openssl.org #1931] [PATCH] DTLS fragment handling memory leak' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | Mailing List, Patch, Third Party Advisory |
| VMware vMA Update for Multiple Packages - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| The Slackware Linux Project: Slackware Security Advisories | af854a3a-2127-422b-91ae-364da2661108 | slackware.com | Mailing List, Third Party Advisory |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | Broken Link, Tool Signature |
| kb.bluecoat.com/index | af854a3a-2127-422b-91ae-364da2661108 | kb.bluecoat.com | Broken Link |
| OpenSSL DTLS Packets Multiple Denial of Service Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | Broken Link, Third Party Advisory, VDB Entry |
| About Secunia Research | Flexera | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| NetBSD update for openssl - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| Support | af854a3a-2127-422b-91ae-364da2661108 | www.redhat.com | Third Party Advisory |
| OpenSSL DTLS Denial of Service Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| [security-announce] SUSE Security Summary Report: SUSE-SR:2009:011 | af854a3a-2127-422b-91ae-364da2661108 | lists.opensuse.org | Mailing List, Third Party Advisory |
| Page not found - SourceForge.net | af854a3a-2127-422b-91ae-364da2661108 | sourceforge.net | Broken Link |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | af854a3a-2127-422b-91ae-364da2661108 | www.vupen.com | Permissions Required, Third Party Advisory |
| Fedora update for openssl - Secunia Advisories - Vulnerability Information - Secunia.com | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| VooDoo cIRCle security advisory 20091012-01 | af854a3a-2127-422b-91ae-364da2661108 | voodoo-circle.sourceforge.net | Third Party Advisory |
| CVE-2009-1378 | af854a3a-2127-422b-91ae-364da2661108 | launchpad.net | Third Party Advisory |
| 'Re: [openssl.org #1931] [PATCH] DTLS fragment handling memory leak' - MARC | af854a3a-2127-422b-91ae-364da2661108 | marc.info | Exploit, Mailing List, Third Party Advisory |
| HPSBMA02492 SSRT100079 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access - c02029444 - HP Business Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20000.www2.hp.com | Broken Link, Third Party Advisory |
| About Secunia Research | Flexera | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| USN-792-1: OpenSSL vulnerabilities | Ubuntu | af854a3a-2127-422b-91ae-364da2661108 | www.ubuntu.com | Third Party Advisory |
| [Security-announce] VMSA-2010-0004 ESX Service Console and vMA third party updates | af854a3a-2127-422b-91ae-364da2661108 | lists.vmware.com | Third Party Advisory |
| Support / Security / Advisories / / MDVSA-2009:120 | Mandriva | af854a3a-2127-422b-91ae-364da2661108 | www.mandriva.com | Not Applicable |
| VMware ESX Server 4 Multiple Vulnerabilities - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| #1931: [PATCH] DTLS fragment handling memory leak | af854a3a-2127-422b-91ae-364da2661108 | rt.openssl.org | Broken Link, Third Party Advisory |
| SUSE Update for Multiple Packages - Advisories - Community | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | Not Applicable, Third Party Advisory |
| OpenSSL <= 0.9.8k, 1.0.0-beta2 DTLS Remote Memory Exhaustion DoS | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | Exploit, Third Party Advisory, VDB Entry |
| Repository / Oval Repository | af854a3a-2127-422b-91ae-364da2661108 | oval.cisecurity.org | Broken Link, Tool Signature |
| SecurityTracker.com Archives - OpenSSL DTLS Processing Bugs Let Users Deny Service | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | Broken Link, Third Party Advisory, VDB Entry |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|---|---|---|
| Red Hat | 2009-09-02 | Tomas Hoger | This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. |
Legacy QID Mappings
- 390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)