Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2009-4355

Disclosure Date: January 14, 2010
CVE-2009-4355
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • openssl,
  • redhat

Products

  • openssl,
  • openssl 0.9.1c,
  • openssl 0.9.2b,
  • openssl 0.9.3,
  • openssl 0.9.3a,
  • openssl 0.9.4,
  • openssl 0.9.5,
  • openssl 0.9.5a,
  • openssl 0.9.6,
  • openssl 0.9.6-15,
  • openssl 0.9.6a,
  • openssl 0.9.6b,
  • openssl 0.9.6b-3,
  • openssl 0.9.6c,
  • openssl 0.9.6d,
  • openssl 0.9.6e,
  • openssl 0.9.6f,
  • openssl 0.9.6g,
  • openssl 0.9.6h,
  • openssl 0.9.6i,
  • openssl 0.9.6j,
  • openssl 0.9.6k,
  • openssl 0.9.6l,
  • openssl 0.9.6m,
  • openssl 0.9.7,
  • openssl 0.9.7a,
  • openssl 0.9.7a-2,
  • openssl 0.9.7b,
  • openssl 0.9.7c,
  • openssl 0.9.7d,
  • openssl 0.9.7e,
  • openssl 0.9.7f,
  • openssl 0.9.7g,
  • openssl 0.9.7h,
  • openssl 0.9.7i,
  • openssl 0.9.7j,
  • openssl 0.9.7k,
  • openssl 0.9.7l,
  • openssl 0.9.7m,
  • openssl 0.9.8,
  • openssl 0.9.8a,
  • openssl 0.9.8b,
  • openssl 0.9.8c,
  • openssl 0.9.8d,
  • openssl 0.9.8e,
  • openssl 0.9.8f,
  • openssl 0.9.8g,
  • openssl 0.9.8h,
  • openssl 0.9.8i,
  • openssl 0.9.8j,
  • openssl 0.9.8k,
  • openssl 1.0.0

References

Canonical
CVE-2009-4355 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4355)
Advisory
DSA-1970 (http://www.debian.org/security/2010/dsa-1970)
ADV-2010-0916 (http://www.vupen.com/english/advisories/2010/0916)
http://cvs.openssl.org/chngview?cn=19167
SECUNIA-42724 (http://secunia.com/advisories/42724)
SECUNIA-39461 (http://secunia.com/advisories/39461)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11260
https://bugzilla.redhat.com/show_bug.cgi?id=546707
FEDORA-2010-5357 (http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html)
SECUNIA-38761 (http://secunia.com/advisories/38761)
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0004
SECUNIA-38181 (http://secunia.com/advisories/38181)
SECUNIA-38200 (http://secunia.com/advisories/38200)
https://issues.rpath.com/browse/RPL-3157
ADV-2010-0839 (http://www.vupen.com/english/advisories/2010/0839)
http://cvs.openssl.org/chngview?cn=19069
HPSBUX02517 (http://marc.info?l=bugtraq&m=127128920008563&w=2)
http://cvs.openssl.org/chngview?cn=19068
http://www.mandriva.com/security/advisories?name=MDVSA-2010:022
https://rhn.redhat.com/errata/RHSA-2010-0095.html
USN-884-1 (http://www.ubuntu.com/usn/USN-884-1)
http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html
[oss-security] 20100113 [PATCH] memory consumption (DoS) in openssl CVE-2009-4355 (http://www.openwall.com/lists/oss-security/2010/01/13/3)
https://kb.bluecoat.com/index?page=content&id=SA50
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6678
SECUNIA-42733 (http://secunia.com/advisories/42733)
ADV-2010-0124 (http://www.vupen.com/english/advisories/2010/0124)
FEDORA-2010-5744 (http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html)
SECUNIA-38175 (http://secunia.com/advisories/38175)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12168
Miscellaneous
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis