CVE-2009-3555

Summary

CVE	CVE-2009-3555
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2009-11-09 17:30:00 UTC
Updated	2023-02-13 02:20:00 UTC
Description	The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Risk And Classification

Problem Types: CWE-295

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Http Server	All	All	All	All
Operating System	Canonical	Ubuntu Linux	10.04	All	All	All
Operating System	Canonical	Ubuntu Linux	10.10	All	All	All
Operating System	Canonical	Ubuntu Linux	8.04	All	All	All
Operating System	Canonical	Ubuntu Linux	8.10	All	All	All
Operating System	Canonical	Ubuntu Linux	9.04	All	All	All
Operating System	Canonical	Ubuntu Linux	9.10	All	All	All
Operating System	Canonical	Ubuntu Linux	10.04	All	All	All
Operating System	Canonical	Ubuntu Linux	10.10	All	All	All
Operating System	Canonical	Ubuntu Linux	8.04	All	All	All
Operating System	Canonical	Ubuntu Linux	8.10	All	All	All
Operating System	Canonical	Ubuntu Linux	9.04	All	All	All
Operating System	Canonical	Ubuntu Linux	9.10	All	All	All
Operating System	Debian	Debian Linux	4.0	All	All	All
Operating System	Debian	Debian Linux	5.0	All	All	All
Operating System	Debian	Debian Linux	6.0	All	All	All
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	4.0	All	All	All
Operating System	Debian	Debian Linux	5.0	All	All	All
Operating System	Debian	Debian Linux	6.0	All	All	All
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Application	F5	Nginx	All	All	All	All
Operating System	Fedoraproject	Fedora	11	All	All	All
Operating System	Fedoraproject	Fedora	12	All	All	All
Operating System	Fedoraproject	Fedora	13	All	All	All
Operating System	Fedoraproject	Fedora	14	All	All	All
Operating System	Fedoraproject	Fedora	11	All	All	All
Operating System	Fedoraproject	Fedora	12	All	All	All
Operating System	Fedoraproject	Fedora	13	All	All	All
Operating System	Fedoraproject	Fedora	14	All	All	All
Application	Gnu	Gnutls	All	All	All	All
Application	Mozilla	Nss	All	All	All	All
Application	Openssl	Openssl	1.0	All	openvms	All
Application	Openssl	Openssl	All	All	All	All
Application	Openssl	Openssl	1.0	All	openvms	All

References

Reference	Source	Link	Tags
OpenOffice.org Data Manipulation and Code Execution Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Support \| Red Hat	REDHAT	www.redhat.com	Third Party Advisory
ASA-2010-119 (RHSA-2010-0165)	CONFIRM	support.avaya.com	Third Party Advisory
CTX123359 - Transport Layer Security Renegotiation Vulnerability - Citrix Knowledge Center	CONFIRM	support.citrix.com	Third Party Advisory
ProFTPD TLS Session Renegotiation Plaintext Injection Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
oss-security - Re: CVE-2009-3555 for TLS renegotiation MITM attacks	MLIST	www.openwall.com	Mailing List, Third Party Advisory
'[security bulletin] HPSBHF03293 rev.1 - HP Virtual Connect 8Gb 24-Port FC Module running OpenSSL and' - MARC	HP	marc.info	Third Party Advisory
[SECURITY] Fedora 11 Update: tomcat-native-1.1.18-1.fc11	FEDORA	www.redhat.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Microsoft Security Bulletin MS10-049 - Critical \| Microsoft Docs	MS	docs.microsoft.com
Mozilla Firefox Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Red Hat Customer Portal	MISC	access.redhat.com
HP-UX update for OpenSSL - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES	CONFIRM	support.zeus.com	Broken Link
kb.bluecoat.com/index	CONFIRM	kb.bluecoat.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
SecurityTracker.com Archives - Cisco Unified SIP Phones Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
[TLS] MITM attack on delayed TLS-client auth through renegotiation	MLIST	www.ietf.org	Third Party Advisory
IBM WebSphere MQ Internet Pass-Thru TLS Renegotiation Vulnerability - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Debian -- Security Information -- DSA-1934-1 apache2	DEBIAN	www.debian.org	Third Party Advisory
SecurityTracker.com Archives - Cisco Video Surveillance Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
US-CERT Technical Cyber Security Alert TA10-287A -- Oracle Updates for Multiple Vulnerabilities	CERT	www.us-cert.gov	Third Party Advisory, US Government Resource
About Secunia Research \| Flexera	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Slackware update for openssl - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
Support \| Red Hat	REDHAT	www.redhat.com	Third Party Advisory
Red Hat update for java-1.5.0-ibm - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
1021752	SUNALERT	sunsolve.sun.com	Broken Link
SecurityFocus	BUGTRAQ	www.securityfocus.com	Third Party Advisory, VDB Entry
Links » Another Protocol Bites The Dust	MISC	www.links.org	Third Party Advisory
[SECURITY] Fedora 11 Update: openssl-0.9.8n-1.fc11	FEDORA	lists.fedoraproject.org	Third Party Advisory
SecurityTracker.com Archives - OpenBSD Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
sysoev.ru/nginx/patch.cve-2009-3555.txt	CONFIRM	sysoev.ru	Broken Link
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Debian -- Security Information -- DSA-3253-1 pound	DEBIAN	www.debian.org	Third Party Advisory
www.openssl.org/news/secadv_20091111.txt	CONFIRM	www.openssl.org	Third Party Advisory
[SECURITY] Fedora 12 Update: httpd-2.2.14-1.fc12	FEDORA	www.redhat.com	Third Party Advisory
SecurityTracker.com Archives - Cisco Content Switching Module Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Red Hat update for JBoss Enterprise Web Server - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
oss-security - Re: CVEs for nginx	MLIST	www.openwall.com	Mailing List, Third Party Advisory
HP System Management Homepage Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Advisories:rPSA-2009-0155 - rPath Wiki	CONFIRM	wiki.rpath.com	Third Party Advisory
About the security content of Java for Mac OS X 10.6 Update 2	CONFIRM	support.apple.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
SecurityFocus	BUGTRAQ	www.securityfocus.com	Third Party Advisory, VDB Entry
About Secunia Research \| Flexera	SECUNIA	secunia.com	Third Party Advisory
#273350: Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects Applications Utilizing Network Security Services (NSS)	SUNALERT	sunsolve.sun.com	Broken Link
HPSBGN02562 SSRT090249 rev.1 - HP ProCurve Threat Management Services (TMS) zl Module J9155A and J9156A running TLS/SSL, Remote Unauthorized Data Injection, Denial of Service (DoS) - c02436041 - HP Business Support Center	HP	h20000.www2.hp.com	Broken Link
Opera: Opera 10.60 (with Opera Widgets for Desktop) for UNIX changelog	CONFIRM	www.opera.com	Third Party Advisory
[SECURITY] Fedora 10 Update: nginx-0.7.64-1.fc10	FEDORA	www.redhat.com	Third Party Advisory
Cosminexusにおける複数の脆弱性：ソフトウェア製品セキュリティ情報：ソフトウェア：日立	CONFIRM	www.hitachi.co.jp	Third Party Advisory
Ubuntu update for nss - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
SecurityTracker.com Archives - Citrix Products Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
F5 Products TLS Session Renegotiation Plaintext Injection Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
SecurityTracker.com Archives - Sun Java System Web Proxy Server Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
'[security bulletin] HPSBUX02498 SSRT090264 rev.1 - HP-UX Running Apache, Remote Unauthorized Data In' - MARC	HP	marc.info	Third Party Advisory
US-CERT Technical Cyber Security Alert TA10-222A -- Microsoft Updates for Multiple Vulnerabilities	CERT	www.us-cert.gov	Third Party Advisory, US Government Resource
[SECURITY] Fedora 13 Update: java-1.6.0-openjdk-1.6.0.0-43.1.8.2.fc13	FEDORA	lists.fedoraproject.org	Third Party Advisory
SecurityTracker.com Archives - Cisco Wireless Location Appliance Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
SSRT100179	HP	itrc.hp.com	Broken Link
SecurityTracker.com Archives - Cisco Application Networking Manager Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Links » SSL MitM Attack, Part 2	MISC	www.links.org	Third Party Advisory
Cisco Multiple Products TLS Session Renegotiation Plaintext Injection - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
[security-announce] SUSE-SU-2011:0847-1: important: Security update for	SUSE	lists.opensuse.org	Third Party Advisory
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Frequency X Blog	MISC	blogs.iss.net	Broken Link
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Advisories \| Mandriva	MANDRIVA	www.mandriva.com	Broken Link
NEOHAPSIS - Peace of Mind Through Integrity and Insight	BUGTRAQ	archives.neohapsis.com	Broken Link
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
SecurityFocus	BUGTRAQ	www.securityfocus.com	Third Party Advisory, VDB Entry
HPSBMA02568	HP	www.itrc.hp.com	Third Party Advisory
526689 – (CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability	MISC	bugzilla.mozilla.org	Issue Tracking, Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Indiscreet tweet trips awareness of Web SSL vulnerability \| Security News - Betanews	MISC	www.betanews.com	Third Party Advisory
SecurityTracker.com Archives - IBM WebSphere MQ Internet pass-thru Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Apache Mail Archives	MISC	lists.apache.org
SecurityFocus	HP	www.securityfocus.com	Third Party Advisory, VDB Entry
Red Hat Customer Portal	MISC	access.redhat.com
[SECURITY] Fedora 12 Update: nginx-0.7.64-1.fc12	FEDORA	www.redhat.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Support	REDHAT	www.redhat.com	Third Party Advisory
The Secure Goose: TLS renegotiation vulnerability (CVE-2009-3555)	MISC	www.securegoose.org	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
ASA-2009-548	CONFIRM	support.avaya.com	Third Party Advisory
SecurityTracker.com Archives - CiscoWorks Wireless LAN Solution Engine (WLSE) Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
SecurityTracker.com Archives - Cisco Telepresence Recording Server Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Sun Solaris OpenSSL TLS Session Renegotiation Plaintext Injection Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
VMSA-2011-0003	CONFIRM	www.vmware.com	Third Party Advisory
USN-927-5: nspr update \| Ubuntu	UBUNTU	www.ubuntu.com	Third Party Advisory
Hitachi Products Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
ZWS 4.3r5 released (News)	CONFIRM	support.zeus.com	Broken Link
Red Hat update for java-1.5.0-ibm - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
oss-security - Re: [TLS] CVE-2009-3555 for TLS renegotiation MITM attacks	MLIST	www.openwall.com	Mailing List, Third Party Advisory
Fedora update for httpd - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
[SECURITY] Fedora 12 Update: nss-util-3.12.5-1.fc12.1	FEDORA	www.redhat.com	Third Party Advisory
62210	OSVDB	osvdb.org	Broken Link
Red Hat Customer Portal	MISC	access.redhat.com
SUSE Update for Multiple Packages - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Debian update for apache2 - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
[security-announce] SUSE Security Announcement: IBM Java 1.4.2 (SUSE-SA:	SUSE	lists.opensuse.org	Third Party Advisory
[security-announce] SUSE Security Announcement: openssl (SUSE-SA:2009:05	SUSE	lists.opensuse.org	Third Party Advisory
Apache Mail Archives	MISC	lists.apache.org
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
About Secunia Research \| Flexera	SECUNIA	secunia.com	Third Party Advisory
Security Advisories \| Mandriva Linux	MANDRIVA	www.mandriva.com	Broken Link
SecurityTracker.com Archives - Cisco Wireless LAN Controller Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Pony Mail!	MISC	lists.apache.org
545755 – Update Mozilla stable branches to NSS 3.12.6 and minimal support for RFC 5746	CONFIRM	bugzilla.mozilla.org	Issue Tracking, Third Party Advisory
[security-announce] openSUSE-SU-2011:0845-1: important: compat-openssl09	SUSE	lists.opensuse.org	Third Party Advisory
About Security Update 2010-001	CONFIRM	support.apple.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com	Third Party Advisory
[SECURITY] Fedora 12 Update: tomcat-native-1.1.18-1.fc12	FEDORA	www.redhat.com	Third Party Advisory
APPLE-SA-2010-01-19-1 Security Update 2010-001	APPLE	lists.apple.com	Mailing List, Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Extended Subset » Blog Archive » Authentication Gap in TLS Renegotiation	MISC	extendedsubset.com	Broken Link
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
IBM IC68054: SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555 - United States	AIXAPAR	www-01.ibm.com	Third Party Advisory
IBM IC67848: SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATIONWEAK SECURITY CVE-2009-3555 - United States	AIXAPAR	www-01.ibm.com	Third Party Advisory
[SECURITY] Fedora 14 Update: java-1.6.0-openjdk-1.6.0.0-44.1.9.1.fc14	FEDORA	lists.fedoraproject.org	Third Party Advisory
60521	OSVDB	osvdb.org	Broken Link
BlackBerry Enterprise Server Multiple Vulnerabilities - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Nothing found for Support Alerts Aid 020810 Txt	CONFIRM	www.arubanetworks.com	Broken Link
SecurityTracker.com Archives - Cisco Unified Contact Center Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
SecurityTracker.com Archives - Cisco Application Control Engine Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Sun Java System Products TLS Session Renegotiation Plaintext Injection - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
SecurityTracker.com Archives - Cisco Application Velocity System Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
About Secunia Research \| Flexera	SECUNIA	secunia.com	Third Party Advisory
'[security bulletin] HPSBOV02683 SSRT090208 rev.1 - HP Secure Web Server (SWS) for OpenVMS running Ap' - MARC	HP	marc.info	Third Party Advisory
HP ProCurve Threat Management Services zl Module TLS/SSL Vulnerability - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:024	SUSE	lists.opensuse.org	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Gentoo Linux Documentation -- OpenSSL: Multiple vulnerabilities	GENTOO	security.gentoo.org	Third Party Advisory
SecurityTracker.com Archives - Cisco IOS Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	securitytracker.com	Third Party Advisory, VDB Entry
IBM Search results - United States	AIXAPAR	www-1.ibm.com	Third Party Advisory
OpenBSD 4.5 errata	OPENBSD	openbsd.org	Third Party Advisory
Support \| Red Hat	REDHAT	www.redhat.com	Third Party Advisory
GnuTLS TLS Session Renegotiation Plaintext Injection Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
Gentoo Linux Documentation -- nginx: Multiple vulnerabilities	GENTOO	security.gentoo.org	Third Party Advisory
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:012	SUSE	lists.opensuse.org	Third Party Advisory
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
[SECURITY] Fedora 12 Update: java-1.6.0-openjdk-1.6.0.0-41.1.8.2.fc12	FEDORA	lists.fedoraproject.org	Third Party Advisory
Oracle Java SE and Java for Business Critical Patch Update Advisory - October 2010	CONFIRM	www.oracle.com	Third Party Advisory
SUSE update for openssl - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
[SECURITY] Fedora 11 Update: httpd-2.2.15-1.fc11.1	FEDORA	lists.fedoraproject.org	Third Party Advisory
'[security bulletin] HPSBHF02706 SSRT100613 rev.1 - HP Integrated Lights-Out iLO2 and iLO3 running SS' - MARC	HP	marc.info	Third Party Advisory
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
MFSA 2010-22: Update NSS to support TLS renegotiation indication	CONFIRM	www.mozilla.org	Third Party Advisory
Security	CONFIRM	blogs.sun.com	Third Party Advisory
cpuapr2011	CONFIRM	www.oracle.com	Third Party Advisory
SecurityTracker.com Archives - Cisco Secure Access Control Server Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
HP System Management Homepage Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
IBM DB2 Data Manipulation and Buffer Overflow Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Ubuntu update for openjdk-6 - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
IBM - Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.7 Fix Pack 2	CONFIRM	www-01.ibm.com	Third Party Advisory
Pony Mail!	MISC	lists.apache.org
Oracle Open Office Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Support	REDHAT	www.redhat.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Red Hat Customer Portal	MISC	access.redhat.com
Thoughts on the TLS bug « Chris Paget's Blog	MISC	www.tombom.co.uk	Broken Link
USN-1010-1: OpenJDK vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com	Third Party Advisory
Links » SSL MitM, Day 4	MISC	www.links.org	Third Party Advisory
SecurityTracker.com Archives - Cisco ASA Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
SecurityTracker.com Archives - CiscoWorks Common Services Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
[TLS] TLS renegotiation issue	MLIST	www.ietf.org	Third Party Advisory
About the security content of Java for Mac OS X 10.5 Update 7	CONFIRM	support.apple.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:011	SUSE	lists.opensuse.org	Third Party Advisory
Apache Mail Archives	MLIST	lists.apache.org
SecurityTracker.com Archives - Cisco Security Agent Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Apple Mac OS X Security Update Fixes Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Bug 533125 – CVE-2009-3555 TLS: MITM attacks via session renegotiation	CONFIRM	bugzilla.redhat.com	Issue Tracking, Third Party Advisory
[SECURITY] Fedora 13 Update: httpd-2.2.15-1.fc13	FEDORA	lists.fedoraproject.org	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Apple Mac OS X update for Java - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
CVE-2009-3555	CONFIRM	www.openoffice.org	Third Party Advisory
Mozilla SeaMonkey Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
[SECURITY] Fedora 11 Update: nginx-0.7.64-1.fc11	FEDORA	www.redhat.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Understanding the TLS Renegotiation Attack - Educated Guesswork	MISC	www.educatedguesswork.org	Third Party Advisory
IBM - Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.1 Fix Pack 9	CONFIRM	www-01.ibm.com	Third Party Advisory
Red Hat update for java-1.6.0-ibm - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
'[security bulletin] HPSBUX02517 SSRT100058 rev.1 - HP-UX Running OpenSSL, Remote Unauthorized Inform' - MARC	HP	marc.info	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
HP Systems Insight Manager Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
The Slackware Linux Project: Slackware Security Advisories	SLACKWARE	slackware.com	Third Party Advisory
Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability	BID	www.securityfocus.com	Exploit, Patch, Third Party Advisory, VDB Entry
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
Fedora update for openssl - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
USN-927-4: nss vulnerability \| Ubuntu	UBUNTU	www.ubuntu.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
Red Hat Customer Portal	MISC	access.redhat.com
SecurityTracker.com Archives - Cisco Wireless Control System Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Red Hat Customer Portal - Access to 24x7 support and knowledge	MISC	access.redhat.com
SecurityTracker.com Archives - Cisco Digital Media Media Player and Digital Media Manager Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Debian update for nss - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
404 Not Found	MISC	svn.resiprocate.org	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
'[security bulletin] HPSBMA02534 SSRT090180 rev.1 - HP System Management Homepage (SMH) for Linux and' - MARC	HP	marc.info	Third Party Advisory
APPLE-SA-2010-05-18-2 Java for Mac OS X 10.5 Update 7	APPLE	lists.apple.com	Mailing List, Third Party Advisory
Citrix Secure Gateway TLS Session Renegotiation Plaintext Injection - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
404 Not Found	CONFIRM	www.proftpd.org	Broken Link
Debian update for openssl - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
SOL10737 - SSL Renegotiation vulnerability - CVE-2009-3555 / VU#120541	MISC	support.f5.com	Third Party Advisory
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:008	SUSE	lists.opensuse.org	Third Party Advisory
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
CVE-2011-4745, CVE-2011-4746, CVE-2011-4747, CVE-2009-3555, CVE-2011-4748, CVE-2011-4749, XSS, Cross Site Scripting in psa v10.3.1_build1013110726.09 os_RedHat el6, Billing Manager, CWE-79, CAPEC-86, DORK, GHDB	MISC	xss.cx	Exploit, Third Party Advisory
URL shortener analytics and visitor tracking \| clicky.me	MISC	clicky.me	Exploit, Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
IBM PM12247: SHIP APAR FIXES FOR H28W610 FIX PACK 6.1.0.31. - United States	AIXAPAR	www-01.ibm.com	Third Party Advisory
Avaya Products TLS Session Renegotiation Plaintext Injection Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Gentoo Linux Documentation -- IcedTea JDK: Multiple vulnerabilities	GENTOO	security.gentoo.org	Third Party Advisory
oss-security - CVEs for nginx	MLIST	www.openwall.com	Mailing List, Third Party Advisory
1021653	SUNALERT	sunsolve.sun.com	Broken Link
Red Hat Customer Portal	MISC	access.redhat.com
Red Hat JBoss Enterprise Web Server Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks - SecurityTracker	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:019	SUSE	lists.opensuse.org	Third Party Advisory
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
65202	OSVDB	osvdb.org	Broken Link
Zeus Web Server Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
VMSA-2010-0019.3	CONFIRM	www.vmware.com	Third Party Advisory
Red Hat Knowledgebase: Is Red Hat affected by TLS renegotiation MITM attacks (CVE-2009-3555)?	CONFIRM	kbase.redhat.com	Third Party Advisory
'OpenSSL 0.9.8l released' - MARC	MLIST	marc.info	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Cisco Security Advisory: Transport Layer Security Renegotiation Vulnerability - Cisco Systems	CISCO	www.cisco.com	Third Party Advisory
'[security bulletin] HPSBMU02799 SSRT100867 rev.1 - HP Network Node Manager i (NNMi) v9.0x Running JD' - MARC	HP	marc.info	Third Party Advisory
'[security bulletin] HPSBUX02524 SSRT100089 rev.1 - HP-UX Running Java, Remote Execution of Arbitrary' - MARC	HP	marc.info	Third Party Advisory
oss-security - CVE-2009-3555 for TLS renegotiation MITM attacks	MLIST	www.openwall.com	Mailing List, Third Party Advisory
Re: TLS renegotiation MITM	MLIST	lists.gnu.org	Third Party Advisory
Avaya Products NSS TLS Session Renegotiation Vulnerability - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Aruba Mobility Controller TLS Session Renegotiation Plaintext Injection - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Debian -- Security Information -- DSA-2141-1 openssl	DEBIAN	www.debian.org	Third Party Advisory
Full Disclosure: Re: SSL/TLS MiTM PoC	FULLDISC	seclists.org	Mailing List, Third Party Advisory
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com	Third Party Advisory, VDB Entry
IBM WebSphere Application Server for z/OS Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
SecurityTracker.com Archives - Content Services Switch Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
SecurityTracker.com Archives - Solaris Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Support	REDHAT	www.redhat.com	Third Party Advisory
About Secunia Research \| Flexera	SECUNIA	secunia.com	Third Party Advisory
access.redhat.com \| CVE-2009-3555	MISC	access.redhat.com
G-SEC - Blog: TLS / SSLv3 renegotiation vulnerability explained (Update #2)(	MISC	blog.g-sec.lu	Third Party Advisory
'CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation' - MARC	MLIST	marc.info	Third Party Advisory
USN-923-1: OpenJDK vulnerabilities \| Ubuntu	UBUNTU	ubuntu.com	Third Party Advisory
#273029: Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects OpenSSL	SUNALERT	sunsolve.sun.com	Broken Link
Red Hat update for gnutls - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
ASA-2010-308 (RHSA-2010-0768)	CONFIRM	support.avaya.com	Third Party Advisory
About Secunia Research \| Flexera	SECUNIA	secunia.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Fedora update for tomcat-native - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
IBM MS81: WebSphere MQ Internet Pass-Thru - United States	CONFIRM	www-01.ibm.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
SecurityTracker.com Archives - Cisco Wide Area Application Services Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
SecurityTracker.com Archives - Sun Java System Web Server Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Red Hat Customer Portal	MISC	access.redhat.com
VMware vCenter / ESX Server Update for Oracle (Sun) JRE - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
SecurityTracker.com Archives - Cisco NX-OS Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Oracle Critical Patch Update Pre-Release Announcement - October 2010	CONFIRM	www.oracle.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
[SECURITY] Fedora 10 Update: httpd-2.2.14-1.fc10	FEDORA	www.redhat.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Advisories \| Mandriva	MANDRIVA	www.mandriva.com	Broken Link
ASA-2010-307 (RHSA-2010-0770)	CONFIRM	support.avaya.com	Third Party Advisory
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:013	SUSE	lists.opensuse.org	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
IBM - IBM HTTP Server interim fix for PM00675	CONFIRM	www-01.ibm.com	Third Party Advisory
APPLE-SA-2010-05-18-1 Java for Mac OS X 10.6 Update 2	APPLE	lists.apple.com	Mailing List, Third Party Advisory
IBM IC68055: SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION WEAK SECURITY CVE-2009-3555 - United States	AIXAPAR	www-01.ibm.com	Third Party Advisory
Advisory: TLS protocol vulnerable to Man In The Middle attack - Opera Knowledge Base	CONFIRM	www.opera.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Ubuntu update for openjdk - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
SecurityTracker.com Archives - Cisco Firewall Services Module Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
SecurityTracker.com Archives - Cisco ONS Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
USN-927-1: NSS vulnerability \| Ubuntu	UBUNTU	www.ubuntu.com	Third Party Advisory
OpenSSL TLS Session Renegotiation Plaintext Injection Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
F5 Products TLS Session Renegotiation Plaintext Injection Vulnerability - Secunia Advisories - Vulnerability Information - Secunia.com	SECUNIA	secunia.com	Third Party Advisory
'[security bulletin] HPSBOV02762 SSRT100825 rev.1 - HP Secure Web Server (SWS) for OpenVMS running CS' - MARC	HP	marc.info	Third Party Advisory
OpenBSD 4.6 errata	OPENBSD	openbsd.org	Third Party Advisory
Repository / Oval Repository	OVAL	oval.cisecurity.org	Third Party Advisory
rhn.redhat.com \| Red Hat Support	REDHAT	www.redhat.com	Third Party Advisory
Mozilla Thunderbird Multiple Vulnerabilities - Advisories - Community	SECUNIA	secunia.com	Third Party Advisory
Support \| Red Hat	REDHAT	www.redhat.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
oss-security - Re: CVE-2009-3555 for TLS renegotiation MITM attacks	MLIST	www.openwall.com	Mailing List, Third Party Advisory
Red Hat Customer Portal	MISC	access.redhat.com
The Apache Tomcat Native - Miscellaneous Documentation -	CONFIRM	tomcat.apache.org	Broken Link
Release notice for Ingate Firewall® 4.8.1 and Ingate SIParator® 4.8.1	CONFIRM	www.ingate.com	Third Party Advisory
60972	OSVDB	osvdb.org	Broken Link
Apache Mail Archives	MLIST	lists.apache.org
#274990: Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Affects Multiple Server Products in the Sun Java Enterprise System Suite	SUNALERT	sunsolve.sun.com	Broken Link
SecurityFocus	BUGTRAQ	www.securityfocus.com	Third Party Advisory, VDB Entry
Page not found - Thủ thuật nhà cái	MISC	extendedsubset.com	Broken Link
VMware vCenter Server 4.1 Update 1 Release Notes	CONFIRM	www.vmware.com	Third Party Advisory
US-CERT Vulnerability Note VU#120541	CERT-VN	www.kb.cert.org	Third Party Advisory, US Government Resource
Red Hat Customer Portal	MISC	access.redhat.com
SecurityTracker.com Archives - Sun GlassFish Enterprise Server/Sun Java Application Server SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
SecurityFocus	BUGTRAQ	www.securityfocus.com	Third Party Advisory, VDB Entry
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com	Third Party Advisory
HPSBUX02482 SSRT090249 rev.2 - HP-UX Running OpenSSL, Remote Unauthorized Data Injection, Denial of Service (DoS) - c01945686 - HP Business Support Center	HP	h20000.www2.hp.com	Broken Link
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Organization	Published	Contributor	Statement
Red Hat	2009-11-20	Tomas Hoger	Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3555 Additional information can be found in the Red Hat Knowledgebase article: http://kbase.redhat.com/faq/docs/DOC-20491

Legacy QID Mappings

390279 Oracle Managed Virtualization (VM) Server for x86 Security Update for nss (OVMSA-2023-0014)
390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)
591186 Mitsubishi Electric Air Conditioning Systems Multiple Vulnerabilities (ICSA-22-160-01)
997471 Java (Maven) Security Update for org.apache.tomcat:tomcat (GHSA-f7w7-6pjc-wwm6)