Oval Definition:oval:org.mitre.oval:def:10088
Revision Date:2013-04-29Version:13
Title:The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Description:The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
Family:unixClass:vulnerability
Status:ACCEPTEDReference(s):CVE-2009-3555
Platform(s):CentOS Linux 3
CentOS Linux 4
CentOS Linux 5
Oracle Linux 4
Oracle Linux 5
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Product(s):
Definition Synopsis
  • OS Section: RHEL3, CentOS3
  • RHEL3 or CentOS3
  • The operating system installed on the system is Red Hat Enterprise Linux 3
  • OR CentOS Linux 3.x
  • AND Configuration section
  • openssl-perl is earlier than 0:0.9.7a-33.26
  • OR openssl-devel is earlier than 0:0.9.7a-33.26
  • OR openssl is earlier than 0:0.9.7a-33.26
  • OR httpd-devel is earlier than 0:2.0.46-77.ent
  • OR mod_ssl is earlier than 0:2.0.46-77.ent
  • OR httpd is earlier than 0:2.0.46-77.ent
  • OR OS Section: RHEL4, CentOS4, Oracle Linux 4
  • RHEL4, CentOS4 or Oracle Linux 4
  • The operating system installed on the system is Red Hat Enterprise Linux 4
  • OR CentOS Linux 4.x
  • OR Oracle Linux 4.x
  • AND Configuration section
  • openssl-perl is earlier than 0:0.9.7a-43.17.el4_8.5
  • OR httpd-suexec is earlier than 0:2.0.52-41.ent.6
  • OR httpd-manual is earlier than 0:2.0.52-41.ent.6
  • OR nspr is earlier than 0:4.8.4-1.1.el4_8
  • OR mod_ssl is earlier than 0:2.0.52-41.ent.6
  • OR nss is earlier than 0:3.12.6-1.el4_8
  • OR nspr-devel is earlier than 0:4.8.4-1.1.el4_8
  • OR httpd is earlier than 0:2.0.52-41.ent.6
  • OR openssl-devel is earlier than 0:0.9.7a-43.17.el4_8.5
  • OR gnutls is earlier than 0:1.0.20-4.el4_8.7
  • OR openssl is earlier than 0:0.9.7a-43.17.el4_8.5
  • OR httpd-devel is earlier than 0:2.0.52-41.ent.6
  • OR nss-devel is earlier than 0:3.12.6-1.el4_8
  • OR gnutls-devel is earlier than 0:1.0.20-4.el4_8.7
  • OR nss-tools is earlier than 0:3.12.6-1.el4_8
  • OR OS Section: RHEL5, CentOS5, Oracle Linux 5
  • RHEL5, CentOS5 or Oracle Linux 5
  • The operating system installed on the system is Red Hat Enterprise Linux 5
  • OR The operating system installed on the system is CentOS Linux 5.x
  • OR Oracle Linux 5.x
  • AND Configuration section
  • openssl097a is earlier than 0:0.9.7a-9.el5_4.2
  • OR openssl-perl is earlier than 0:0.9.8e-12.el5_4.6
  • OR nss-pkcs11-devel is earlier than 0:3.12.6-1.el5_4
  • OR httpd-manual is earlier than 0:2.2.3-31.el5_4.2
  • OR nspr-devel is earlier than 0:4.8.4-1.el5_4
  • OR gnutls is earlier than 0:1.4.1-3.el5_4.8
  • OR openssl is earlier than 0:0.9.8e-12.el5_4.6
  • OR httpd-devel is earlier than 0:2.2.3-31.el5_4.2
  • OR java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-1.11.b16.el5
  • OR mod_ssl is earlier than 0:2.2.3-31.el5_4.2
  • OR nspr is earlier than 0:4.8.4-1.el5_4
  • OR nss is earlier than 0:3.12.6-1.el5_4
  • OR httpd is earlier than 0:2.2.3-31.el5_4.2
  • OR java-1.6.0-openjdk is earlier than 1:1.6.0.0-1.11.b16.el5
  • OR java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-1.11.b16.el5
  • OR openssl-devel is earlier than 0:0.9.8e-12.el5_4.6
  • OR gnutls-devel is earlier than 0:1.4.1-3.el5_4.8
  • OR nss-devel is earlier than 0:3.12.6-1.el5_4
  • OR java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-1.11.b16.el5
  • OR java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-1.11.b16.el5
  • OR nss-tools is earlier than 0:3.12.6-1.el5_4
  • OR gnutls-utils is earlier than 0:1.4.1-3.el5_4.8
    • BACK