CVE-2009-1378
Summary
| CVE | CVE-2009-1378 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2009-05-19 19:30:00 UTC |
| Updated | 2022-02-02 15:10:00 UTC |
| Description | Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak." |
Risk And Classification
Problem Types: CWE-401
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 6.06 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 8.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 8.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 9.04 | All | All | All |
| Application | Openssl | Openssl | All | All | All | All |
| Application | Openssl | Openssl | 0.9.8 | - | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta1 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta2 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta3 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta4 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta5 | All | All |
| Application | Openssl | Openssl | 0.9.8 | beta6 | All | All |
| Application | Openssl | Openssl | 0.9.8a | All | All | All |
| Application | Openssl | Openssl | 0.9.8b | All | All | All |
| Application | Openssl | Openssl | 0.9.8c | All | All | All |
| Application | Openssl | Openssl | 0.9.8d | All | All | All |
| Application | Openssl | Openssl | 0.9.8e | All | All | All |
| Application | Openssl | Openssl | 0.9.8f | All | All | All |
| Application | Openssl | Openssl | 0.9.8g | All | All | All |
| Application | Openssl | Openssl | 0.9.8h | All | All | All |
| Application | Openssl | Openssl | 0.9.8i | All | All | All |
| Application | Openssl | Openssl | 0.9.8j | All | All | All |
| Application | Openssl | Openssl | 0.9.8k | All | All | All |
| Application | Openssl | Openssl | All | All | All | All |
| Application | Openssl | Openssl | 0.9.8a | All | All | All |
| Application | Openssl | Openssl | 0.9.8b | All | All | All |
| Application | Openssl | Openssl | 0.9.8c | All | All | All |
| Application | Openssl | Openssl | 0.9.8d | All | All | All |
| Application | Openssl | Openssl | 0.9.8e | All | All | All |
| Application | Openssl | Openssl | 0.9.8f | All | All | All |
| Application | Openssl | Openssl | 0.9.8g | All | All | All |
| Application | Openssl | Openssl | 0.9.8h | All | All | All |
| Application | Openssl | Openssl | 0.9.8i | All | All | All |
| Application | Openssl | Openssl | 0.9.8j | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8c-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8d-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8e-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8f-9 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-1 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-2 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-3 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-4 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-5 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-6 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-7 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-8 | All | All | All |
| Application | Openssl Project | Openssl | 0.9.8g-9 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| '[openssl.org #1931] [PATCH] DTLS fragment handling memory leak' - MARC | MLIST | marc.info | Patch |
| kb.bluecoat.com/index | CONFIRM | kb.bluecoat.com | |
| Support / Security / Advisories / / MDVSA-2009:120 | Mandriva | MANDRIVA | www.mandriva.com | |
| VooDoo cIRCle security advisory 20091012-01 | CONFIRM | voodoo-circle.sourceforge.net | |
| Ubuntu update for openssl - Secunia.com | SECUNIA | secunia.com | |
| About Secunia Research | Flexera | SECUNIA | secunia.com | |
| Fedora update for openssl - Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | |
| Webmail : Solution de messagerie professionnelle - OVHcloud- OVH | VUPEN | www.vupen.com | |
| oss-security - Two OpenSSL DTLS remote DoS | MLIST | www.openwall.com | |
| 'Re: [openssl.org #1931] [PATCH] DTLS fragment handling memory leak' - MARC | MLIST | marc.info | Exploit |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | |
| OpenSSL DTLS Denial of Service Vulnerabilities - Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | Vendor Advisory |
| About Secunia Research | Flexera | SECUNIA | secunia.com | |
| Page not found - SourceForge.net | CONFIRM | sourceforge.net | |
| Gentoo Linux Documentation -- OpenSSL: Multiple vulnerabilities | GENTOO | security.gentoo.org | |
| OpenSSL <= 0.9.8k, 1.0.0-beta2 DTLS Remote Memory Exhaustion DoS | EXPLOIT-DB | www.exploit-db.com | |
| OpenSSL DTLS Packets Multiple Denial of Service Vulnerabilities | BID | www.securityfocus.com | |
| HPSBMA02492 SSRT100079 rev.1 - HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access - c02029444 - HP Business Support Center | HP | h20000.www2.hp.com | |
| Slackware update for openssl - Advisories - Community | SECUNIA | secunia.com | |
| SUSE Update for Multiple Packages - Advisories - Community | SECUNIA | secunia.com | |
| NetBSD update for openssl - Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | |
| NetBSD-SA2009-009 | NETBSD | ftp.netbsd.org | |
| #1931: [PATCH] DTLS fragment handling memory leak | CONFIRM | rt.openssl.org | Patch |
| SecurityTracker.com Archives - OpenSSL DTLS Processing Bugs Let Users Deny Service | SECTRACK | www.securitytracker.com | |
| VMware vMA Update for Multiple Packages - Advisories - Community | SECUNIA | secunia.com | |
| VooDoo cIRCle OpenSSL DTLS Denial of Service Vulnerabilities - Secunia.com | SECUNIA | secunia.com | |
| The Slackware Linux Project: Slackware Security Advisories | SLACKWARE | slackware.com | |
| cvs.openssl.org/chngview | CONFIRM | cvs.openssl.org | Patch |
| CVE-2009-1378 | MISC | launchpad.net | |
| Support | REDHAT | www.redhat.com | |
| [Security-announce] VMSA-2010-0004 ESX Service Console and vMA third party updates | MLIST | lists.vmware.com | |
| USN-792-1: OpenSSL vulnerabilities | Ubuntu | UBUNTU | www.ubuntu.com | |
| Repository / Oval Repository | OVAL | oval.cisecurity.org | |
| VMware ESX Server 4 Multiple Vulnerabilities - Advisories - Community | SECUNIA | secunia.com | |
| [security-announce] SUSE Security Summary Report: SUSE-SR:2009:011 | SUSE | lists.opensuse.org | |
| Secunia Advisories - Vulnerability Information - Secunia.com | SECUNIA | secunia.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
| Organization | Published | Contributor | Statement |
|---|---|---|---|
| Red Hat | 2009-09-02 | Tomas Hoger | This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl. |
Legacy QID Mappings
- 390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)