Transport Layer Security (TLS) handshake renegotiation weak security

tls-renegotiation-weak-security (54158) The risk level is classified as MediumMedium Risk

Description:

Multiple implementations of the Transport Layer Security (TLS) protocol, including SSL, could provide weaker than expected security, caused by TLS handshake renegotiation. A remote attacker could exploit this vulnerability via man-in-the-middle techniques to inject data into the beginning of the application protocol stream to execute HTTP transactions, bypass authentication and possibly launch further attacks against the victim.IBM3

*CVSS:

Base Score: 4
  Access Vector: Network
  Access Complexity: High
  Authentication: None
  Confidentiality Impact: Partial
  Integrity Impact: Partial
  Availability Impact: None
 
Temporal Score: 3.2
  Exploitability: Proof-of-Concept
  Remediation Level: Temporary-Fix
  Report Confidence: Confirmed

Consequences:

Other

Remedy:

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References:

  • Apple Web site: About Security Update 2010-001.
  • Aruba Networks Security Advisory: TLS Protocol Session Renegotiation Security Vulnerability .
  • ASA-2010-119: nss security update (RHSA-2010-0165).
  • Bluecoat Security Advisories ID: SA44: TLS/SSLv3 renegotiation (CVE-2009-3555).
  • Bluecoat Web site: Security Advisories.
  • Bugzilla@Mozilla ┐ Bug 526689 : (CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability .
  • Bugzilla@Mozilla ┐ Bug 526689 : (CVE-2009-3555) SSL3 & TLS Renegotiation Vulnerability.
  • cisco-sa-20091109-tls: Transport Layer Security Renegotiation Vulnerability.
  • cisco-sa-20091109-tls: Transport Layer Security Renegotiation Vulnerability.
  • CTX123359: Transport Layer Security Renegotiation Vulnerability.
  • FreeBSD-SA-09:15.ssl: SSL protocol flaw.
  • gmane.network.openvpn.devel: OpenVPN 2.1_rc21 released.
  • HPSBGN02562 SSRT090249: HP ProCurve Threat Management Services (TMS) zl Module J9155A and J9156A running TLS/SSL, Remote Unauthorized Data Injection, Denial of Service (DoS).
  • HPSBHF02706 SSRT100613 rev.1: HP Integrated Lights-Out iLO2 and iLO3 running SSL/TLS, Denial of Service (DoS), Unauthorized Modification.
  • HPSBMA02534 SSRT090180: HP System Management Homepage (SMH) for Linux and Windows, Remote Unauthorized Information Disclosure, Unauthorized Data Modification, Denial of Service (DoS).
  • HPSBMA02547 SSRT100180: HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Execution of Arbitrary Code and Other Vulnerabilities.
  • HPSBMA02568 SSRT100219: HP System Management Homepage (SMH) for Linux and Windows, Remote Cross Site Scripting (XSS), HTTP Response Splitting, and Other Vulnerabilities.
  • HPSBMU02759 SSRT100817: HP Onboard Administrator (OA), Remote Unauthorized Access, Unauthorized Information Disclosure, Denial of Service (DoS), URL Redirection.
  • HPSBMU02769 SSRT100846: HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Unauthorized Access, Execution of Arbitrary Code, and Other Vulnerabilities.
  • HPSBUX02482 SSRT090249 rev.1: HP-UX Running OpenSSL, Remote Unauthorized Data Injection, Denial of Service (DoS).
  • HPSBUX02498 SSRT090264 rev.1: HP-UX Running Apache, Remote Unauthorized Data Injection, Denial of Service (DoS).
  • IBM APAR IC65922: SECURITY: BUFFER OVERRUN IN REPEAT UDF..
  • IBM APAR IC67848: SECURITY: TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATIONWEAK SECURITY CVE-2009-3555.
  • IBM APAR IZ65239: Transport Layer Security (TLS) handshake renegotiation weak security CVE-2009-3555.
  • IBM APAR PK96157: SHIP APAR FIXES FOR H28W601 FIX PACK 6.0.2.39. 09/09/14 PTF PECHANGE.
  • IBM APAR PM10658: IBM HTTP SERVER 2.0.47 CUMULATIVE INTERIM FIX.
  • IBM APAR PM12247: SHIP APAR FIXES FOR H28W610 FIX PACK 6.1.0.31..
  • IBM Internet Security Systems Protection Alert: Transport Layer Security (TLS) handshake renegotiation weak security.
  • IBM Security alerts: developerWorks : Java; technology : IBM developer kits : Additional documentation.
  • IBM Support & downloads: Transport Layer Security (TLS) handshake renegotiation weak security (CVE-2009-3555) in relation to WebSphere Application Server products.
  • IBM Support and Downloads : DATAPOWER CHANGE TO PREVENT SSL TLS MAN-IN-THE-MIDDLE ATTACK.
  • IBM Support and Downloads : TRANSPORT LAYER SECURITY (TLS) HANDSHAKE RENEGOTIATION VULNERABILITY.
  • IBM Support and Downloads : Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.1 Fix Pack 9.
  • IBM Support and Downloads : Critical updates for IBM WebSphere DataPower SOA appliances.
  • IBM Support and Downloads : TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR11.
  • IBM Support and Downloads : TLS/SSL PROTOCOL VULNERABILITY FOR WSAS SDK 1.5 SR10.
  • IBM Support and Downloads : Are DataPower appliances affected by the SSL Man-in-the-Middle attack (CVE-2009-3555)?.
  • IBM Support and Downloads : Security Vulnerabilities and HIPER APARs fixed in DB2 for Linux, UNIX, and Windows Version 9.7 Fix Pack 2.
  • IBM Support and Downloads Web Site: IBM HTTP Server interim fix for PM00675.
  • Ingate Web Site: Release notice for Ingate Firewall« 4.8.1 and Ingate SIParator« 4.8.1.
  • Innominate mGuard: Version 6.1.5 - Release Notes.
  • Innominate mGuard: Version 5.1.6 - Release Notes.
  • Innominate mGuard: Version 7.2.1 - Release Notes.
  • MatrixSSL Web Site: MatrixSSL 1.8.8.
  • MFSA 2010-22: Update NSS to support TLS renegotiation indication.
  • Microsoft IIS Web site: The Official Microsoft IIS Site.
  • Microsoft Security Advisory (977377): Vulnerability in TLS/SSL Could Allow Spoofing.
  • Microsoft Security Bulletin MS10-049: Vulnerabilities in SChannel could allow Remote Code Execution (980436).
  • Microsoft Security Bulletin MS10-085: Vulnerabilities in SChannel Could Allow Denial of Service (2207566).
  • Microsoft Security Bulletin MS12-006: Vulnerability in SSL/TLS Could Allow Information Disclosure (2643584).
  • Microsoft Security Bulletin MS12-049: Vulnerability in TLS Could Allow Information Disclosure (2655992).
  • Mozilla Web site: NSS 3.12.5 release notes.
  • Offensive Security Exploit Database [12-21-2009]: TLS Renegotiation Vulnerability PoC Exploit .
  • OpenOffice Web Site: OpenOffice.org 2 and 3 may be affected by the TLS/SSL Renegotiation Issue in 3rd Party Libraries.
  • OpenSSL CVS Repository: Check-in Number: 18790.
  • Opera changelog: Opera 10.50 beta (with Opera Widgets for Desktop) for Windows changelog.
  • Oracle Critical Patch Update Advisory - April 2011: Oracle Critical Patch Update Advisory - April 2011.
  • Oracle Critical Patch Update Advisory - July 2010: Oracle Critical Patch Update Advisory - July 2010.
  • Oracle Critical Patch Update Advisory - March 2010: Oracle Java SE and Java for Business Critical Patch Update Advisory - March 2010.
  • Oracle Critical Patch Update Advisory - October 2010: Oracle Critical Patch Update Advisory - October 2010.
  • Oracle Java SE and Java for Business Critical Patch Update Advisory - October 2010: Oracle Java SE and Java for Business Critical Patch Update Advisory - October 2010.
  • ProFTP Web Site: 1.3.2 Release Notes.
  • ProFTPD Web site: 1.3.2 Release Notes.
  • SA50: Multiple SSL/TLS vulnerabilities in Reporter.
  • security advisory 20091112-01: An OpenSource VooDoo cIRCle.
  • SOL10737: SSL/TLS Authentication Gap ┐ Status of Patches.
  • Sun Alert ID: 273350: Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Involving Handshake Renegotiation Affects Network Security Services (NSS).
  • Sun Alert ID: 274990: Security Vulnerability in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols Affects Multiple Server Products in the Sun Java Enterprise System Suite.
  • Sun Security Blog, 29 Apr 2011: Multiple Vulnerabilities in the Apache 2 HTTP Server Prior to 2.2.16.
  • The Apache Software Foundation Web site: Apache HTTP Server.
  • The Apache Tomcat Native - Miscellaneous Documentation: Changes between 1.1.17 and 1.1.18.
  • TLS Mailing List Wed, 4 Nov 2009: MITM attack on delayed TLS-client auth through renegotiation.
  • VMSA-2010-0015: VMware ESX third party updates for Service Console.
  • VMSA-2010-0019: VMware ESX third party updates for Service Console.
  • BID-36935: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
  • BID-37159: IBM WebSphere Portal Cross Site Scripting and Unspecified Security Vulnerabilities
  • BID-39701: IBM WebSphere Application Server SIP Logging Information Disclosure Vulnerability
  • BID-40446: IBM DB2 prior to 9.7 Fix Pack 2 Multiple Security Vulnerabilities
  • CVE-2009-3555: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue.
  • DSA-1934: apache2 -- multiple issues
  • DSA-2141: openssl -- SSL/TLS insecure renegotiation protocol design flaw
  • DSA-2626: lighttpd -- several issues
  • GLSA-200912-01: OpenSSL: Multiple vulnerabilities
  • MDVSA-2009:295: apache
  • MDVSA-2009:323: apache
  • MDVSA-2009:337: proftpd
  • MDVSA-2010:069: nss
  • MDVSA-2010:070: firefox
  • MDVSA-2010:070-1: firefox
  • MDVSA-2010:076: openssl
  • MDVSA-2010:076-1: openssl
  • MDVSA-2010:089: gnutls
  • OSVDB ID: 60521: Ingate Firewall/SIParator SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  • OSVDB ID: 60859: Network Security Services (NSS) TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  • OSVDB ID: 60860: IBM HTTP Server GSKit Security Library TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  • OSVDB ID: 60972: F5 Multiple Products TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  • OSVDB ID: 61786: IBM OS/400 TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  • OSVDB ID: 62210: Aruba Mobility Controller TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  • OSVDB ID: 64760: Novell Access Manager TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  • OSVDB ID: 65202: OpenOffice.org (OOo) TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  • RHSA-2009-1579: Moderate: httpd security update
  • RHSA-2009-1580: Moderate: httpd security update
  • RHSA-2009-1694: Critical: java-1.6.0-ibm security update
  • RHSA-2010-0011: Moderate: httpd and httpd22 security update
  • RHSA-2010-0119: Low: JBoss Enterprise Web Server 1.0.1 update
  • RHSA-2010-0130: Moderate: java-1.5.0-ibm security update
  • RHSA-2010-0155: Moderate: java-1.4.2-ibm security and bug fix update
  • RHSA-2010-0162: Important: openssl security update
  • RHSA-2010-0163: Moderate: openssl security update
  • RHSA-2010-0164: Moderate: openssl097a security update
  • RHSA-2010-0165: Moderate: nss security update
  • RHSA-2010-0166: Moderate: gnutls security update
  • RHSA-2010-0167: Moderate: gnutls security update
  • RHSA-2010-0337: Critical: java-1.6.0-sun security update
  • RHSA-2010-0338: Critical: java-1.5.0-sun security update
  • RHSA-2010-0339: Important: java-1.6.0-openjdk security update
  • RHSA-2010-0408: Moderate: java-1.4.2-ibm security update
  • RHSA-2010-0440: Important: rhev-hypervisor security and bug fix update
  • RHSA-2010-0768: Important: java-1.6.0-openjdk security and bug fix update
  • RHSA-2010-0770: Critical: java-1.6.0-sun security update
  • RHSA-2010-0786: Critical: java-1.4.2-ibm security update
  • RHSA-2010-0807: Critical: java-1.5.0-ibm security update
  • RHSA-2010-0865: Important: java-1.6.0-openjdk security and bug fix update
  • RHSA-2010-0986: Moderate: java-1.4.2-ibm-sap security update
  • RHSA-2010-0987: Critical: java-1.6.0-ibm security and bug fix update
  • RHSA-2011-0880: Low: Red Hat Network Satellite server IBM Java Runtime security update
  • SA37291: OpenSSL TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37292: GnuTLS TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37320: Citrix Secure Gateway TLS Session Renegotiation Plaintext Injection
  • SA37323: MatrixSSL TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37369: VooDoo cIRCle OpenSSL TLS Session Renegotiation Plaintext Injection
  • SA37453: Sun Solaris OpenSSL TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37504: Ingate Firewall and SIParator Multiple Vulnerabilities
  • SA37544: FreeBSD OpenSSL TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37545: IBM WebSphere Application Server for z/OS Multiple Vulnerabilities
  • SA37566: Sun Products NSS TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37604: IBM HTTP Server TLS Session Renegotiation Plaintext Injection
  • SA37640: ProFTPD TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37656: F5 Products TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37675: F5 Products TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA37875: IBM SDK for Java TLS Session Renegotiation Plaintext Injection
  • SA38003: Avaya Products TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA38020: Sun Java System Products TLS Session Renegotiation Plaintext Injection
  • SA38056: Zeus Web Server Two Vulnerabilities
  • SA38157: IBM OS/400 TLS Session Renegotiation Plaintext Injection
  • SA38171: WebSphere DataPower TLS Session Renegotiation Vulnerability
  • SA38241: Apple Mac OS X Security Update Fixes Multiple Vulnerabilities
  • SA38338: IBM WebSphere Application Server TLS Session Renegotiation Plaintext Injection
  • SA38355: IBM Java TLS Session Renegotiation Plaintext Injection
  • SA38365: Microsoft Windows TLS/SSL Session Renegotiation Plaintext Injection Vulnerability
  • SA38400: Network Security Services (NSS) TLS Session Renegotiation Vulnerability
  • SA38484: Aruba Mobility Controller TLS Session Renegotiation Plaintext Injection
  • SA38546: Opera TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA38728: Blue Coat Products TLS Session Renegotiation Plaintext Injection
  • SA38858: SSH Tectia Audit Player Multiple Vulnerabilities
  • SA38909: IBM WebSphere Application Server for z/OS Multiple Vulnerabilities
  • SA39136: Mozilla Firefox Multiple Vulnerabilities
  • SA39240: Mozilla Firefox Multiple Vulnerabilities
  • SA39242: Mozilla Thunderbird Multiple Vulnerabilities
  • SA39243: Mozilla SeaMonkey Multiple Vulnerabilities
  • SA39317: SUSE Update for Multiple Packages
  • SA39500: IBM DB2 Data Manipulation and Buffer Overflow Vulnerabilities
  • SA39628: IBM WebSphere Application Server for z/OS Multiple Vulnerabilities
  • SA39713: Avaya Products NSS TLS Session Renegotiation Vulnerability
  • SA39777: HP System Management Homepage TLS/SSL Vulnerability
  • SA39781: IBM HTTP Server Multiple Vulnerabilities
  • SA39819: Apple Mac OS X update for Java
  • SA39850: Novell Access Manager TLS Session Renegotiation Plaintext Injection Vulnerability
  • SA40003: IBM DB2 Multiple Vulnerabilities
  • SA40070: OpenOffice.org Data Manipulation and Code Execution Vulnerabilities
  • SA40545: HP Systems Insight Manager Multiple Vulnerabilities
  • SA40747: Cisco Multiple Products TLS Session Renegotiation Plaintext Injection
  • SA40866: HP ProCurve Threat Management Services zl Module TLS/SSL Vulnerability
  • SA40883: Microsoft Windows TLS/SSL Session Renegotiation Plaintext Injection Vulnerability
  • SA41480: HP System Management Homepage Multiple Vulnerabilities
  • SA41490: HP System Management Homepage Multiple Vulnerabilities
  • SA41618: VMware ESX Server Service Console Multiple Vulnerabilities
  • SA41782: Oracle Supply Chain Products Two Vulnerabilities
  • SA41818: Oracle Open Office Multiple Vulnerabilities
  • SA42377: Hitachi Products Multiple Vulnerabilities
  • SA42379: IBM WebSphere MQ Internet Pass-Thru TLS Renegotiation Vulnerability
  • SA42467: VMware ESX Console OS (COS) Update for openssl
  • SA42529: VMware ESX Console OS (COS) Update for bzip2
  • SA42530: VMware ESX Console OS (COS) bzip2 Integer Overflow Vulnerability
  • SA42531: VMware ESX Console OS (COS) Update for samba
  • SA42724: Blue Coat Reporter OpenSSL Multiple Vulnerabilities
  • SA42733: Blue Coat Reporter OpenSSL Multiple Vulnerabilities
  • SA42996: Innominate mGuard Multiple Vulnerabilities
  • SA43308: VMware vCenter / ESX Server Update for Oracle (Sun) JRE
  • SA44183: BlackBerry Enterprise Server Multiple Vulnerabilities
  • SA44292: Oracle WebLogic Server OpenSSL Plaintext Injection Vulnerability
  • SA44294: Oracle Identity Management Security Service Component Vulnerability
  • SA44443: Oracle Solaris Apache HTTP Server Multiple Vulnerabilities
  • SA46041: Blue Coat Director Multiple Vulnerabilities
  • SA46777: HP Integrated Lights-Out OpenSSL Security Bypass and Data Manipulation Vulnerabilities
  • SECTRACK ID: 1023148: Cisco IOS Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023163: Citrix Products Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023204: Cisco ASA Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023205: Cisco Application Control Engine Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023206: CiscoWorks Wireless LAN Solution Engine (WLSE) Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023207: Cisco Wireless Control System Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023208: Cisco Wireless LAN Controller Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023209: Cisco Secure Access Control Server Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023210: CiscoWorks Common Services Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023211: Cisco Application Velocity System Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023212: Cisco Telepresence Recording Server Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023213: Cisco Digital Media Media Player and Digital Media Manager Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023214: Cisco Wireless Location Appliance Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023215: Cisco NX-OS Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023216: Cisco Firewall Services Module Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023217: Cisco Video Surveillance Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023218: Content Services Switch Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023219: Cisco Content Switching Module Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023224: Solaris Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023243: OpenBSD Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023270: Cisco Wide Area Application Services Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023271: Cisco Application Networking Manager Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023272: Cisco Unified SIP Phones Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023273: Cisco ONS Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023274: Cisco Unified Contact Center Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023275: Cisco Security Agent Protocol Flaw in SSL Renegotiation May Let Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023411: Red Hat JBoss Enterprise Web Server Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023426: Sun Java System Web Server Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023427: Sun Java System Web Proxy Server Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1023428: Sun GlassFish Enterprise Server/Sun Java Application Server SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks
  • SECTRACK ID: 1024789: IBM WebSphere MQ Internet pass-thru Protocol Flaw in SSL Renegotiation Lets Remote Users Conduct Man-in-the-Middle Attacks
  • SUSE-SA:2009:057: OpenSSL TLS man-in-the-middle attack problem
  • SUSE-SA:2010:021: Mozilla security update
  • SUSE-SA:2010:028: IBM Java 5 update
  • SUSE-SA:2010:061: IBM Java 1.4.2 security update
  • SUSE-SA:2011:006: IBM Java 6 security update
  • SUSE-SR:2010:008: SUSE Security Summary Report
  • SUSE-SR:2010:011: SUSE Security Summary Report
  • SUSE-SR:2010:013: SUSE Security Summary Report
  • SUSE-SR:2010:019: SUSE Security Summary Report
  • SUSE-SR:2010:024: SUSE Security Summary Report
  • SUSE-SR:2011:003: SUSE Security Summary Report
  • SUSE-SR:2011:008: SUSE Security Summary Report

Platforms Affected:

  • Apache HTTP Server 0.8.11
  • Apache HTTP Server 0.8.14
  • Apache HTTP Server 1.0
  • Apache HTTP Server 1.0.2
  • Apache HTTP Server 1.0.3
  • Apache HTTP Server 1.0.5
  • Apache HTTP Server 1.1.1
  • Apache HTTP Server 1.2
  • Apache HTTP Server 1.2.4
  • Apache HTTP Server 1.2.5
  • Apache HTTP Server 1.2.6
  • Apache HTTP Server 1.3
  • Apache HTTP Server 1.3.0
  • Apache HTTP Server 1.3.1.1
  • Apache HTTP Server 1.3.11
  • Apache HTTP Server 1.3.12
  • Apache HTTP Server 1.3.13
  • Apache HTTP Server 1.3.14
  • Apache HTTP Server 1.3.15
  • Apache HTTP Server 1.3.16
  • Apache HTTP Server 1.3.17
  • Apache HTTP Server 1.3.18
  • Apache HTTP Server 1.3.19
  • Apache HTTP Server 1.3.2
  • Apache HTTP Server 1.3.20
  • Apache HTTP Server 1.3.22
  • Apache HTTP Server 1.3.23
  • Apache HTTP Server 1.3.24
  • Apache HTTP Server 1.3.25
  • Apache HTTP Server 1.3.26
  • Apache HTTP Server 1.3.27
  • Apache HTTP Server 1.3.28
  • Apache HTTP Server 1.3.29
  • Apache HTTP Server 1.3.3
  • Apache HTTP Server 1.3.30
  • Apache HTTP Server 1.3.31
  • Apache HTTP Server 1.3.32
  • Apache HTTP Server 1.3.33
  • Apache HTTP Server 1.3.34
  • Apache HTTP Server 1.3.35
  • Apache HTTP Server 1.3.36
  • Apache HTTP Server 1.3.37
  • Apache HTTP Server 1.3.38
  • Apache HTTP Server 1.3.39
  • Apache HTTP Server 1.3.4
  • Apache HTTP Server 1.3.5
  • Apache HTTP Server 1.3.6
  • Apache HTTP Server 1.3.65
  • Apache HTTP Server 1.3.68
  • Apache HTTP Server 1.3.7 Dev
  • Apache HTTP Server 1.3.7
  • Apache HTTP Server 1.3.8
  • Apache HTTP Server 1.3.9
  • Apache HTTP Server 1.4.0
  • Apache HTTP Server 1.99
  • Apache HTTP Server 2.0
  • Apache HTTP Server 2.0.28 Beta
  • Apache HTTP Server 2.0.28
  • Apache HTTP Server 2.0.32
  • Apache HTTP Server 2.0.32 Beta
  • Apache HTTP Server 2.0.34 Beta
  • Apache HTTP Server 2.0.35
  • Apache HTTP Server 2.0.36
  • Apache HTTP Server 2.0.37
  • Apache HTTP Server 2.0.38
  • Apache HTTP Server 2.0.39
  • Apache HTTP Server 2.0.40
  • Apache HTTP Server 2.0.41
  • Apache HTTP Server 2.0.42
  • Apache HTTP Server 2.0.43
  • Apache HTTP Server 2.0.44
  • Apache HTTP Server 2.0.45
  • Apache HTTP Server 2.0.46
  • Apache HTTP Server 2.0.46 Win32
  • Apache HTTP Server 2.0.47
  • Apache HTTP Server 2.0.48
  • Apache HTTP Server 2.0.49
  • Apache HTTP Server 2.0.50
  • Apache HTTP Server 2.0.51
  • Apache HTTP Server 2.0.52
  • Apache HTTP Server 2.0.53
  • Apache HTTP Server 2.0.54
  • Apache HTTP Server 2.0.55
  • Apache HTTP Server 2.0.56
  • Apache HTTP Server 2.0.57
  • Apache HTTP Server 2.0.58 Win32
  • Apache HTTP Server 2.0.58
  • Apache HTTP Server 2.0.59
  • Apache HTTP Server 2.0.60
  • Apache HTTP Server 2.0.61
  • Apache HTTP Server 2.0.63
  • Apache HTTP Server 2.0.9
  • Apache HTTP Server 2.1.1
  • Apache HTTP Server 2.1.2
  • Apache HTTP Server 2.1.3
  • Apache HTTP Server 2.1.4
  • Apache HTTP Server 2.1.5
  • Apache HTTP Server 2.1.6
  • Apache HTTP Server 2.1.7
  • Apache HTTP Server 2.1.8
  • Apache HTTP Server 2.1.9
  • Apache HTTP Server 2.2
  • Apache HTTP Server 2.2.0
  • Apache HTTP Server 2.2.1
  • Apache HTTP Server 2.2.10
  • Apache HTTP Server 2.2.11
  • Apache HTTP Server 2.2.12
  • Apache HTTP Server 2.2.13
  • Apache HTTP Server 2.2.2
  • Apache HTTP Server 2.2.3
  • Apache HTTP Server 2.2.4
  • Apache HTTP Server 2.2.5
  • Apache HTTP Server 2.2.6
  • Apache HTTP Server 2.2.7
  • Apache HTTP Server 2.2.8
  • Apache HTTP Server 2.2.9
  • Apple Mac OS X 10.5.8
  • Apple Mac OS X 10.6.2
  • Apple Mac OS X Server 10.5.8
  • Apple Mac OS X Server 10.6.2
  • Aruba Networks ArubaOS 3.3.2.X
  • Aruba Networks ArubaOS 3.4.X
  • Aruba Networks Mobility Controller 2.4.8.0-FIPS
  • Avaya Communication Manager
  • Avaya Message Application Server
  • Avaya Message Networking
  • Avaya Modular Messaging 2.0
  • Blue Coat Systems Director 5.x
  • Blue Coat Systems Security Gateway OS (SGOS) 4.0
  • Blue Coat Systems Security Gateway OS (SGOS) 5.1
  • Blue Coat Systems Security Gateway OS (SGOS) 5.2
  • Blue Coat Systems Security Gateway OS (SGOS) 5.3
  • Blue Coat Systems Security Gateway OS (SGOS) 5.4
  • BlueCoat Reporter 8.3.7.1
  • BlueCoat Reporter 9.1.5.1
  • BlueCoat Reporter 9.2.3.1
  • Canonical Ubuntu 6.06 LTS
  • Canonical Ubuntu 8.04 LTS
  • Canonical Ubuntu 8.10
  • Cisco ACE 4710
  • Cisco Digital Media Manager (DMM) 5.0
  • Cisco Wireless Control System
  • Citrix Secure Gateway 3.0
  • Citrix Secure Gateway 3.1
  • Debian Debian Linux 4.0
  • Debian Debian Linux 5.0
  • FreeBSD FreeBSD 6.3
  • FreeBSD FreeBSD 6.4
  • FreeBSD FreeBSD 7.1
  • FreeBSD FreeBSD 7.2 pre-Release
  • FreeBSD FreeBSD 8.0
  • Gentoo Linux
  • GNU GnuTLS 1.0.16
  • GNU GnuTLS 1.0.17
  • GNU GnuTLS 1.0.18
  • GNU GnuTLS 1.0.19
  • GNU GnuTLS 1.0.20
  • GNU GnuTLS 1.0.21
  • GNU GnuTLS 1.0.22
  • GNU GnuTLS 1.0.23
  • GNU GnuTLS 1.0.24
  • GNU GnuTLS 1.0.25
  • GNU GnuTLS 1.1.13
  • GNU GnuTLS 1.1.14
  • GNU GnuTLS 1.1.15
  • GNU GnuTLS 1.1.16
  • GNU GnuTLS 1.1.17
  • GNU GnuTLS 1.1.18
  • GNU GnuTLS 1.1.19
  • GNU GnuTLS 1.1.20
  • GNU GnuTLS 1.1.21
  • GNU GnuTLS 1.1.22
  • GNU GnuTLS 1.1.23
  • GNU GnuTLS 1.2.0
  • GNU GnuTLS 1.2.1
  • GNU GnuTLS 1.2.10
  • GNU GnuTLS 1.2.11
  • GNU GnuTLS 1.2.2
  • GNU GnuTLS 1.2.3
  • GNU GnuTLS 1.2.4
  • GNU GnuTLS 1.2.5
  • GNU GnuTLS 1.2.6
  • GNU GnuTLS 1.2.7
  • GNU GnuTLS 1.2.8
  • GNU GnuTLS 1.2.8.1a1
  • GNU GnuTLS 1.2.9
  • GNU GnuTLS 1.3.0
  • GNU GnuTLS 1.3.1
  • GNU GnuTLS 1.3.2
  • GNU GnuTLS 1.3.3
  • GNU GnuTLS 1.3.4
  • GNU GnuTLS 1.3.5
  • GNU GnuTLS 1.4.0
  • GNU GnuTLS 1.4.1
  • GNU GnuTLS 1.4.2
  • GNU GnuTLS 1.4.3
  • GNU GnuTLS 1.4.4
  • GNU GnuTLS 1.4.5
  • GNU GnuTLS 1.5.0
  • GNU GnuTLS 1.5.1
  • GNU GnuTLS 1.5.2
  • GNU GnuTLS 1.5.3
  • GNU GnuTLS 1.5.4
  • GNU GnuTLS 1.5.5
  • GNU GnuTLS 1.6.0
  • GNU GnuTLS 1.6.1
  • GNU GnuTLS 1.6.2
  • GNU GnuTLS 1.6.3
  • GNU GnuTLS 1.7.0
  • GNU GnuTLS 1.7.1
  • GNU GnuTLS 1.7.10
  • GNU GnuTLS 1.7.11
  • GNU GnuTLS 1.7.12
  • GNU GnuTLS 1.7.13
  • GNU GnuTLS 1.7.14
  • GNU GnuTLS 1.7.15
  • GNU GnuTLS 1.7.16
  • GNU GnuTLS 1.7.17
  • GNU GnuTLS 1.7.18
  • GNU GnuTLS 1.7.19
  • GNU GnuTLS 1.7.2
  • GNU GnuTLS 1.7.3
  • GNU GnuTLS 1.7.4
  • GNU GnuTLS 1.7.5
  • GNU GnuTLS 1.7.6
  • GNU GnuTLS 1.7.7
  • GNU GnuTLS 1.7.8
  • GNU GnuTLS 1.7.9
  • GNU GnuTLS 2.0.0
  • GNU GnuTLS 2.0.1
  • GNU GnuTLS 2.0.2
  • GNU GnuTLS 2.0.3
  • GNU GnuTLS 2.0.4
  • GNU GnuTLS 2.1.0
  • GNU GnuTLS 2.1.1
  • GNU GnuTLS 2.1.2
  • GNU GnuTLS 2.1.3
  • GNU GnuTLS 2.1.4
  • GNU GnuTLS 2.1.5
  • GNU GnuTLS 2.1.6
  • GNU GnuTLS 2.1.7
  • GNU GnuTLS 2.1.8
  • GNU GnuTLS 2.2.0
  • GNU GnuTLS 2.2.1
  • GNU GnuTLS 2.2.2
  • GNU GnuTLS 2.2.3
  • GNU GnuTLS 2.2.4
  • GNU GnuTLS 2.2.5
  • GNU GnuTLS 2.3.0
  • GNU GnuTLS 2.3.1
  • GNU GnuTLS 2.3.10
  • GNU GnuTLS 2.3.11
  • GNU GnuTLS 2.3.2
  • GNU GnuTLS 2.3.3
  • GNU GnuTLS 2.3.4
  • GNU GnuTLS 2.3.5
  • GNU GnuTLS 2.3.6
  • GNU GnuTLS 2.3.7
  • GNU GnuTLS 2.3.8
  • GNU GnuTLS 2.3.9
  • GNU GnuTLS 2.4.0
  • GNU GnuTLS 2.4.1
  • GNU GnuTLS 2.4.2
  • GNU GnuTLS 2.5.0
  • GNU GnuTLS 2.6.0
  • GNU GnuTLS 2.6.1
  • GNU GnuTLS 2.6.2
  • GNU GnuTLS 2.6.3
  • GNU GnuTLS 2.6.4
  • GNU GnuTLS 2.6.5
  • GNU GnuTLS 2.6.6
  • GNU GnuTLS 2.8.0
  • GNU GnuTLS 2.8.1
  • HP HP-UX B.11.11
  • HP HP-UX B.11.23
  • HP HP-UX B.11.31
  • HP Integrated Lights-Out 2 Firmware 2.05
  • HP Integrated Lights-Out 3 Firmware 1.16
  • HP Onboard Administrator 3.21
  • HP Onboard Administrator 3.31
  • HP Onboard Administrator 3.32
  • HP ProCurve Threat Mgmt Services zl Module (J9155A) ST.1.0.090213
  • HP System Management Homepage 2.0.0
  • HP System Management Homepage 2.0.1
  • HP System Management Homepage 2.0.2
  • HP System Management Homepage 2.1
  • HP System Management Homepage 2.1.0-103
  • HP System Management Homepage 2.1.0-103(A)
  • HP System Management Homepage 2.1.0-109
  • HP System Management Homepage 2.1.0-118
  • HP System Management Homepage 2.1.1
  • HP System Management Homepage 2.1.10
  • HP System Management Homepage 2.1.10-186
  • HP System Management Homepage 2.1.11
  • HP System Management Homepage 2.1.11-197
  • HP System Management Homepage 2.1.12
  • HP System Management Homepage 2.1.12-118
  • HP System Management Homepage 2.1.12-200
  • HP System Management Homepage 2.1.15-210
  • HP System Management Homepage 2.1.2
  • HP System Management Homepage 2.1.2-127
  • HP System Management Homepage 2.1.3
  • HP System Management Homepage 2.1.3.132
  • HP System Management Homepage 2.1.4
  • HP System Management Homepage 2.1.4-143
  • HP System Management Homepage 2.1.5
  • HP System Management Homepage 2.1.5-146
  • HP System Management Homepage 2.1.6
  • HP System Management Homepage 2.1.6-156
  • HP System Management Homepage 2.1.7
  • HP System Management Homepage 2.1.7-168
  • HP System Management Homepage 2.1.8
  • HP System Management Homepage 2.1.8-177
  • HP System Management Homepage 2.1.9
  • HP System Management Homepage 2.1.9-178
  • HP System Management Homepage 2.2.6
  • HP System Management Homepage 2.2.8
  • HP System Management Homepage 3.0
  • HP System Management Homepage 3.0.0-64
  • HP System Management Homepage 3.0.0-68
  • HP System Management Homepage 3.0.2-77
  • HP System Management Homepage 6.0
  • HP System Management Homepage 6.0.0.95
  • HP System Management Homepage 6.0.0.96
  • HP System Management Homepage 6.1
  • HP Systems Insight Manager 4.0
  • HP Systems Insight Manager 4.0 SP1
  • HP Systems Insight Manager 4.1
  • HP Systems Insight Manager 4.1 SP1
  • HP Systems Insight Manager 4.2
  • HP Systems Insight Manager 4.2 SP2
  • HP Systems Insight Manager 4.2 SP1
  • HP Systems Insight Manager 5.0 SP6
  • HP Systems Insight Manager 5.0
  • HP Systems Insight Manager 5.0 SP5
  • HP Systems Insight Manager 5.0 SP4
  • HP Systems Insight Manager 5.0 SP3
  • HP Systems Insight Manager 5.0 SP2
  • HP Systems Insight Manager 5.0 SP1
  • HP Systems Insight Manager 5.2
  • HP Systems Insight Manager 5.3
  • HP Systems Insight Manager 5.3 Update 1
  • HP Systems Insight Manager 6.0
  • HP Systems Insight Manager 6.1
  • HP Systems Insight Manager 6.2
  • HP Systems Insight Manager 6.3
  • HP Systems Insight Manager
  • IBM DB2 9.7
  • IBM DB2 Universal Database 9.1
  • IBM DB2 Universal Database 9.1 FP6
  • IBM DB2 Universal Database 9.1 FP1
  • IBM DB2 Universal Database 9.1 FP2
  • IBM DB2 Universal Database 9.1 FP3
  • IBM DB2 Universal Database 9.1 FP4
  • IBM DB2 Universal Database 9.1 FP5
  • IBM DB2 Universal Database 9.1 FP7
  • IBM HTTP Server 2.0.47
  • IBM HTTP Server 6.0
  • IBM HTTP Server 6.1
  • IBM HTTP Server 7.0
  • IBM Java 1.4
  • IBM Java 5.0
  • IBM Java SDK 5.0
  • IBM Java SDK 6.0
  • IBM Java SDK 6.1
  • IBM OS 400 5.1
  • IBM OS 400 5.2
  • IBM OS 400 5.3
  • IBM OS 400 5.3.5
  • IBM OS 400
  • IBM WebSphere Application Server 6.0
  • IBM WebSphere Application Server 6.1
  • IBM WebSphere DataPower
  • IBM WebSphere DataPower SOA Appliances 3.6.1
  • IBM WebSphere DataPower SOA Appliances 3.7.1
  • IBM WebSphere DataPower SOA Appliances 3.7.2
  • IBM WebSphere DataPower SOA Appliances 3.7.3
  • IBM WebSphere DataPower SOA Appliances 3.8
  • Ingate Ingate Firewall 4.1.3
  • Ingate Ingate Firewall 4.2.0
  • Ingate Ingate Firewall 4.5.1
  • Ingate Ingate Firewall 4.6.2
  • Ingate Ingate Firewall 4.7
  • Ingate Ingate SIParator 4.2.0
  • Ingate Ingate SIParator 4.5.1
  • Ingate Ingate SIParator 4.6.2
  • Ingate Ingate SIParator 4.7
  • Innominate Security Technologies mGuard 5.x
  • Innominate Security Technologies mGuard 6.x
  • Innominate Security Technologies mGuard 7
  • JBoss Enterprise Web Server
  • MandrakeSoft Mandrake Linux 2008.0 X86_64
  • MandrakeSoft Mandrake Linux 2008.0
  • MandrakeSoft Mandrake Linux Corporate Server 3.0
  • MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
  • MandrakeSoft Mandrake Linux Corporate Server 4.0 X86_64
  • MandrakeSoft Mandrake Linux Corporate Server 4.0
  • MandrakeSoft Mandrake Multi Network Firewall 2.0
  • Mandriva Enterprise Server 5 X86_64
  • Mandriva Enterprise Server 5
  • Mandriva Linux 2009.0
  • Mandriva Linux 2009.0 X86_64
  • Mandriva Linux 2009.1
  • Mandriva Linux 2009.1 X86_64
  • Mandriva Linux 2010
  • Mandriva Linux 2010 X86_64
  • Microsoft IIS 7.0
  • Microsoft Internet Information Services 7.0
  • Microsoft Internet Information Services 7.5
  • Microsoft Windows 2000 SP4
  • Microsoft Windows 7 x32
  • Microsoft Windows 7 x64
  • Microsoft Windows Server 2003 SP2 Itanium
  • Microsoft Windows Server 2003 SP2
  • Microsoft Windows Server 2003 SP2 x64
  • Microsoft Windows Server 2008 R2 x64
  • Microsoft Windows Server 2008 R2 Itanium
  • Microsoft Windows Server 2008 SP2 Itanium
  • Microsoft Windows Server 2008 Itanium
  • Microsoft Windows Server 2008 x32
  • Microsoft Windows Server 2008 x64
  • Microsoft Windows Server 2008 SP2 x32
  • Microsoft Windows Server 2008 SP2 x64
  • Microsoft Windows Vista x64
  • Microsoft Windows Vista SP2 x64
  • Microsoft Windows Vista SP1 x64
  • Microsoft Windows Vista SP1
  • Microsoft Windows Vista SP2
  • Microsoft Windows Vista
  • Microsoft Windows XP SP3
  • Microsoft Windows XP SP2 x64 Professional
  • Microsoft Windows XP SP2
  • Mozilla Firefox 3.5
  • Mozilla Firefox 3.6
  • Mozilla Nss 3.0
  • Mozilla Nss 3.10
  • Mozilla Nss 3.11.2
  • Mozilla Nss 3.11.4
  • Mozilla Nss 3.11.7
  • Mozilla Nss 3.11.8
  • Mozilla Nss 3.12
  • Mozilla Nss 3.12.1
  • Mozilla Nss 3.12.2
  • Mozilla Nss 3.2
  • Mozilla Nss 3.2.1
  • Mozilla Nss 3.3
  • Mozilla Nss 3.3.1
  • Mozilla Nss 3.3.2
  • Mozilla Nss 3.4
  • Mozilla Nss 3.4.1
  • Mozilla Nss 3.4.2
  • Mozilla Nss 3.4.3
  • Mozilla Nss 3.5
  • Mozilla Nss 3.6
  • Mozilla Nss 3.6.1
  • Mozilla Nss 3.7
  • Mozilla Nss 3.7.1
  • Mozilla Nss 3.7.2
  • Mozilla Nss 3.7.3
  • Mozilla Nss 3.7.5
  • Mozilla Nss 3.7.7
  • Mozilla Nss 3.8
  • Mozilla Nss 3.9
  • Mozilla Nss 3.9.5
  • Mozilla SeaMonkey 2.0.2
  • Mozilla Thunderbird 3.0.1
  • Novell Linux Desktop 9
  • Novell Linux POS 9
  • Novell Open Enterprise Server
  • Novell OpenSUSE 11.0
  • Novell SLE SDK 10
  • Novell SLE SDK 10 SP2
  • Novell SUSE Linux Enterprise 10 SP2 DEBUGINFO
  • Novell SUSE Linux Enterprise Desktop 10 SP2
  • Novell SUSE Linux Enterprise Server 10 SP2
  • Novell SUSE Linux Enterprise Server 10
  • OpenOffice OpenOffice.org 2.0
  • OpenOffice OpenOffice.org 3.2
  • OpenSSL OpenSSL 0.9.1c
  • OpenSSL OpenSSL 0.9.2b
  • OpenSSL OpenSSL 0.9.3
  • OpenSSL OpenSSL 0.9.3a
  • OpenSSL OpenSSL 0.9.4
  • OpenSSL OpenSSL 0.9.5 Beta2
  • OpenSSL OpenSSL 0.9.5 Beta1
  • OpenSSL OpenSSL 0.9.5
  • OpenSSL OpenSSL 0.9.5a Beta2
  • OpenSSL OpenSSL 0.9.5a Beta1
  • OpenSSL OpenSSL 0.9.5a
  • OpenSSL OpenSSL 0.9.6 Beta1
  • OpenSSL OpenSSL 0.9.6 Beta3
  • OpenSSL OpenSSL 0.9.6 Beta2
  • OpenSSL OpenSSL 0.9.6
  • OpenSSL OpenSSL 0.9.6-15 I386
  • OpenSSL OpenSSL 0.9.6-15
  • OpenSSL OpenSSL 0.9.6a Beta3
  • OpenSSL OpenSSL 0.9.6a Beta1
  • OpenSSL OpenSSL 0.9.6a
  • OpenSSL OpenSSL 0.9.6a Beta2
  • OpenSSL OpenSSL 0.9.6b
  • OpenSSL OpenSSL 0.9.6B-3 I386
  • OpenSSL OpenSSL 0.9.6B-3
  • OpenSSL OpenSSL 0.9.6c
  • OpenSSL OpenSSL 0.9.6d
  • OpenSSL OpenSSL 0.9.6e
  • OpenSSL OpenSSL 0.9.6f
  • OpenSSL OpenSSL 0.9.6g
  • OpenSSL OpenSSL 0.9.6h
  • OpenSSL OpenSSL 0.9.6i
  • OpenSSL OpenSSL 0.9.6j
  • OpenSSL OpenSSL 0.9.6k
  • OpenSSL OpenSSL 0.9.6l
  • OpenSSL OpenSSL 0.9.6m
  • OpenSSL OpenSSL 0.9.7 Beta2
  • OpenSSL OpenSSL 0.9.7 Beta6
  • OpenSSL OpenSSL 0.9.7 Beta5
  • OpenSSL OpenSSL 0.9.7 Beta4
  • OpenSSL OpenSSL 0.9.7 Beta3
  • OpenSSL OpenSSL 0.9.7 Beta1
  • OpenSSL OpenSSL 0.9.7
  • OpenSSL OpenSSL 0.9.7a
  • OpenSSL OpenSSL 0.9.7A-2
  • OpenSSL OpenSSL 0.9.7A-2 I386
  • OpenSSL OpenSSL 0.9.7A-2 I386 Perl
  • OpenSSL OpenSSL 0.9.7A-2 I386 Dev
  • OpenSSL OpenSSL 0.9.7b
  • OpenSSL OpenSSL 0.9.7c
  • OpenSSL OpenSSL 0.9.7d
  • OpenSSL OpenSSL 0.9.7e
  • OpenSSL OpenSSL 0.9.7f
  • OpenSSL OpenSSL 0.9.7g
  • OpenSSL OpenSSL 0.9.7h
  • OpenSSL OpenSSL 0.9.7i
  • OpenSSL OpenSSL 0.9.7j
  • OpenSSL OpenSSL 0.9.7k
  • OpenSSL OpenSSL 0.9.7l
  • OpenSSL OpenSSL 0.9.7M
  • OpenSSL OpenSSL 0.9.8
  • OpenSSL OpenSSL 0.9.8a
  • OpenSSL OpenSSL 0.9.8b
  • OpenSSL OpenSSL 0.9.8c
  • OpenSSL OpenSSL 0.9.8d
  • OpenSSL OpenSSL 0.9.8e
  • OpenSSL OpenSSL 0.9.8f
  • OpenSSL OpenSSL 0.9.8g
  • OpenSSL OpenSSL 0.9.8h
  • OpenSSL OpenSSL 1.0 Openvms
  • OpenSSL OpenSSL
  • OpenVPN OpenVPN 2.1 beta14
  • OpenVPN OpenVPN 2.1 rc8
  • Opera Opera Browser 9.0
  • Oracle Java for Business JDK 5 Update 25
  • Oracle Java for Business JDK 6 Update 21
  • Oracle Java for Business JRE 1.4.2_27
  • Oracle Java for Business JRE 6 Update 21
  • Oracle Java for Business SDK 1.4.2_27
  • Oracle Java SE JDK 5 Update 25
  • Oracle Java SE JDK 6 Update 21
  • Oracle Java SE JRE 6 Update 21
  • Oracle Java SE SDK 1.4.2_27
  • Oracle Transportation Management 5.5.06.03
  • Oracle Transportation Management 6.0.6
  • Oracle Transportation Management 6.1.2
  • Oracle WebLogic Server 10.0 MP2
  • Oracle WebLogic Server 10.3.2
  • Oracle WebLogic Server 10.3.3
  • Oracle WebLogic Server 7.0 SP7
  • Oracle WebLogic Server 8.1 SP6
  • Oracle WebLogic Server 9.0
  • Oracle WebLogic Server 9.1
  • Oracle WebLogic Server 9.2 MP3
  • PeerSec MatrixSSL 1.8.7
  • ProFTPD ProFTPD 1.3.2
  • RedHat Enterprise Linux 3 WS
  • RedHat Enterprise Linux 3 ES
  • RedHat Enterprise Linux 3 AS
  • RedHat Enterprise Linux 3 Desktop
  • RedHat Enterprise Linux 4 AS
  • RedHat Enterprise Linux 4 Desktop
  • RedHat Enterprise Linux 4 ES
  • RedHat Enterprise Linux 4 WS
  • RedHat Enterprise Linux 4.8.z AS
  • RedHat Enterprise Linux 4.8.z ES
  • RedHat Enterprise Linux 5
  • RedHat Enterprise Linux 5 Client Workstation
  • RedHat Enterprise Linux 5 Client
  • RedHat Enterprise Linux 5.4.z EUS
  • RedHat Enterprise Linux 6 Workstation
  • RedHat Enterprise Linux 6 Server
  • RedHat Enterprise Linux Desktop 6
  • RedHat Enterprise Linux Desktop Supplementary 6
  • RedHat Enterprise Linux for SAP
  • RedHat Enterprise Linux HPC Node 6
  • RedHat Enterprise Linux HPC Node Supplementary 6
  • RedHat Enterprise Linux Server EUS 6.0.z
  • RedHat Enterprise Linux Server Supplementary 6
  • RedHat Enterprise Linux Workstation Supplementary 6
  • RedHat Red Hat Enterprise Linux 4.7.z Extras
  • RedHat Red Hat Enterprise Linux 4.8.z Extras
  • RedHat RHEL Desktop Supplementary 5 Client
  • RedHat RHEL Extras 3
  • RedHat RHEL Extras 4
  • RedHat RHEL Supplementary 5 Server
  • RedHat RHEL Supplementary 5.2.z EUS
  • RedHat RHEL Supplementary 5.3.z EUS
  • RedHat RHEL Supplementary 5.4.z EUS
  • Sun GlassFish Enterprise Server 2.1.1
  • Sun Java System Application Server 8.0 Enterprise
  • Sun Java System Application Server 8.1 Enterprise
  • Sun Java System Application Server 8.2 Enterprise
  • Sun Java System Web Proxy Server 4.0
  • Sun Java System Web Proxy Server 4.0 SP1
  • Sun Java System Web Proxy Server 4.0.2
  • Sun Java System Web Proxy Server 4.0.3
  • Sun Java System Web Proxy Server 4.0.4
  • Sun Java System Web Proxy Server 4.0.5
  • Sun Java System Web Proxy Server 4.0.6
  • Sun Java System Web Proxy Server 4.0.7
  • Sun Java System Web Server 6.1
  • Sun Java System Web Server 7.0
  • Sun JDK 5.0 Update23
  • Sun JDK 6 Update18
  • Sun JRE 6 Update18
  • Sun OpenSolaris 2009.06
  • Sun OpenSolaris build_snv_86 SPARC
  • Sun OpenSolaris build_snv_86 x86
  • Sun SDK 1.4.2_25
  • Sun Solaris 10 x86
  • Sun Solaris 10 SPARC
  • Sun Solaris 10
  • Sun Solaris 8 x86
  • Sun Solaris 8 SPARC
  • Sun Solaris 9 SPARC
  • Sun Solaris 9 x86
  • SUSE SuSE Linux 9.0
  • SuSE SuSE SLES 9
  • Turbolinux Appliance Server 3.0 x64
  • Turbolinux Appliance Server 3.0
  • Turbolinux Client 2008
  • Turbolinux Turbolinux 10 Server
  • Turbolinux Turbolinux 10 Server x64 Ed
  • Turbolinux Turbolinux 11 Server
  • Turbolinux Turbolinux 11 Server x64 Ed
  • Turbolinux Turbolinux FUJI
  • Turbolinux Turbolinux Appliance Server 2.0
  • VMware ESX 3.5
  • VooDoo cIRCle 1.1.38.7
  • Zeus Zeus Web Server 4.3 r4

Reported:

Nov 04, 2009

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia? integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force? research and development team ? an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.