Executive Summary

Informations
Name CVE-2009-4355 First vendor Publication 2010-01-14
Vendor Cve Last vendor Modification 2017-09-19

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4355

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11260
 
Oval ID: oval:org.mitre.oval:def:11260
Title: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Description: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4355
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12168
 
Oval ID: oval:org.mitre.oval:def:12168
Title: HP-UX Running OpenSSL, Remote Unauthorized Information Disclosure, Unauthorized Data Modification, Denial of Service (DoS)
Description: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4355
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:12486
 
Oval ID: oval:org.mitre.oval:def:12486
Title: USN-884-1 -- openssl vulnerability
Description: It was discovered that OpenSSL did not correctly free unused memory in certain situations. A remote attacker could trigger this flaw in services that used SSL, causing the service to use all available system memory, leading to a denial of service.
Family: unix Class: patch
Reference(s): USN-884-1
CVE-2009-4355
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 8.10
Ubuntu 9.10
Ubuntu 6.06
Ubuntu 9.04
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13303
 
Oval ID: oval:org.mitre.oval:def:13303
Title: DSA-1970-1 openssl -- denial of service
Description: It was discovered that a significant memory leak could occur in openssl, related to the reinitialisation of zlib. This could result in a remotely exploitable denial of service vulnerability when using the Apache httpd server in a configuration where mod_ssl, mod_php5, and the php5-curl extension are loaded. The old stable distribution is not affected by this issue. For the stable distribution, this problem has been fixed in version 0.9.8g-15+lenny6. The packages for the arm architecture are not included in this advisory. They will be released as soon as they become available. For the testing distribution and the unstable distribution, this problem will be fixed soon. The issue does not seem to be exploitable with the apache2 package contained in squeeze/sid. We recommend that you upgrade your openssl packages. You also need to restart your Apache httpd server to make sure it uses the updated libraries.
Family: unix Class: patch
Reference(s): DSA-1970-1
CVE-2009-4355
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21795
 
Oval ID: oval:org.mitre.oval:def:21795
Title: RHSA-2010:0054: openssl security update (Moderate)
Description: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Family: unix Class: patch
Reference(s): RHSA-2010:0054-01
CESA-2010:0054
CVE-2009-2409
CVE-2009-4355
Version: 29
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22987
 
Oval ID: oval:org.mitre.oval:def:22987
Title: ELSA-2010:0054: openssl security update (Moderate)
Description: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Family: unix Class: patch
Reference(s): ELSA-2010:0054-01
CVE-2009-2409
CVE-2009-4355
Version: 13
Platform(s): Oracle Linux 5
Product(s): openssl
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25124
 
Oval ID: oval:org.mitre.oval:def:25124
Title: Vulnerability in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4, allows remote attackers to cause a denial of service (memory consumption)
Description: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Family: windows Class: vulnerability
Reference(s): CVE-2009-4355
Version: 3
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s): OpenSSL
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6678
 
Oval ID: oval:org.mitre.oval:def:6678
Title: OpenSSL 'zlib' Compression Memory Leak Remote Denial of Service Vulnerability
Description: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.
Family: unix Class: vulnerability
Reference(s): CVE-2009-4355
Version: 5
Platform(s): VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6964
 
Oval ID: oval:org.mitre.oval:def:6964
Title: DSA-1970 openssl -- denial of service
Description: It was discovered that a significant memory leak could occur in OpenSSL, related to the reinitialisation of zlib. This could result in a remotely exploitable denial of service vulnerability when using the Apache httpd server in a configuration where mod_ssl, mod_php5, and the php5-curl extension are loaded. The old stable distribution is not affected by this issue.
Family: unix Class: patch
Reference(s): DSA-1970
CVE-2009-4355
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): openssl
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 261
Application 3

OpenVAS Exploits

Date Description
2012-04-16 Name : VMSA-2010-0009: ESXi utilities and ESX Service Console third party updates
File : nvt/gb_VMSA-2010-0009.nasl
2012-02-12 Name : Gentoo Security Advisory GLSA 201110-01 (openssl)
File : nvt/glsa_201110_01.nasl
2011-08-09 Name : CentOS Update for openssl CESA-2010:0054 centos5 i386
File : nvt/gb_CESA-2010_0054_openssl_centos5_i386.nasl
2010-11-23 Name : Fedora Update for openssl FEDORA-2010-17826
File : nvt/gb_fedora_2010_17826_openssl_fc12.nasl
2010-06-25 Name : Fedora Update for openssl FEDORA-2010-9421
File : nvt/gb_fedora_2010_9421_openssl_fc11.nasl
2010-06-18 Name : Fedora Update for openssl FEDORA-2010-9639
File : nvt/gb_fedora_2010_9639_openssl_fc12.nasl
2010-05-28 Name : Fedora Update for openssl FEDORA-2010-8742
File : nvt/gb_fedora_2010_8742_openssl_fc12.nasl
2010-04-30 Name : HP-UX Update for OpenSSL HPSBUX02517
File : nvt/gb_hp_ux_HPSBUX02517.nasl
2010-04-19 Name : Fedora Update for openssl FEDORA-2010-5357
File : nvt/gb_fedora_2010_5357_openssl_fc11.nasl
2010-01-29 Name : SuSE Update for acroread SUSE-SA:2010:008
File : nvt/gb_suse_2010_008.nasl
2010-01-22 Name : Mandriva Update for openssl MDVSA-2010:022 (openssl)
File : nvt/gb_mandriva_MDVSA_2010_022.nasl
2010-01-20 Name : RedHat Update for openssl RHSA-2010:0054-01
File : nvt/gb_RHSA-2010_0054-01_openssl.nasl
2010-01-19 Name : Ubuntu Update for openssl vulnerability USN-884-1
File : nvt/gb_ubuntu_USN_884_1.nasl
0000-00-00 Name : Slackware Advisory SSA:2010-060-02 openssl
File : nvt/esoft_slk_ssa_2010_060_02.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
61684 OpenSSL CRYPTO_free_all_ex_data() Function Memory Exhaustion DoS

Nessus® Vulnerability Scanner

Date Description
2016-03-08 Name : The remote VMware ESX / ESXi host is missing a security-related patch.
File : vmware_VMSA-2010-0009_remote.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0008.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0007.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0054.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100119_openssl_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-01-04 Name : The remote SSL layer is affected by a denial of service vulnerability.
File : openssl_0_9_8p_1_0_0e.nasl - Type : ACT_GATHER_INFO
2011-10-10 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201110-01.nasl - Type : ACT_GATHER_INFO
2010-10-11 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-CVE-2009-4355.patch-6783.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-5744.nasl - Type : ACT_GATHER_INFO
2010-07-01 Name : The remote Fedora host is missing a security update.
File : fedora_2010-5357.nasl - Type : ACT_GATHER_INFO
2010-06-01 Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2010-0009.nasl - Type : ACT_GATHER_INFO
2010-03-11 Name : The remote web server has multiple SSL-related vulnerabilities.
File : openssl_0_9_8m.nasl - Type : ACT_GATHER_INFO
2010-03-02 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2010-060-02.nasl - Type : ACT_GATHER_INFO
2010-02-24 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1970.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_openssl-CVE-2009-4355_patch-100115.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_openssl-CVE-2009-4355_patch-100120.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote openSUSE host is missing a security update.
File : suse_11_2_openssl-CVE-2009-4355_patch-100115.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_openssl-CVE-2009-4355_patch-100115.nasl - Type : ACT_GATHER_INFO
2010-01-25 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_openssl-CVE-2009-4355.patch-6784.nasl - Type : ACT_GATHER_INFO
2010-01-21 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0054.nasl - Type : ACT_GATHER_INFO
2010-01-21 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-022.nasl - Type : ACT_GATHER_INFO
2010-01-20 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0054.nasl - Type : ACT_GATHER_INFO
2010-01-14 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-884-1.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
CONFIRM http://cvs.openssl.org/chngview?cn=19068
http://cvs.openssl.org/chngview?cn=19069
http://cvs.openssl.org/chngview?cn=19167
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0004
https://bugzilla.redhat.com/show_bug.cgi?id=546707
https://issues.rpath.com/browse/RPL-3157
https://kb.bluecoat.com/index?page=content&id=SA50
DEBIAN http://www.debian.org/security/2010/dsa-1970
FEDORA http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html
HP http://marc.info/?l=bugtraq&m=127128920008563&w=2
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2010:022
MLIST http://www.openwall.com/lists/oss-security/2010/01/13/3
OVAL https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
REDHAT https://rhn.redhat.com/errata/RHSA-2010-0095.html
SECUNIA http://secunia.com/advisories/38175
http://secunia.com/advisories/38181
http://secunia.com/advisories/38200
http://secunia.com/advisories/38761
http://secunia.com/advisories/39461
http://secunia.com/advisories/42724
http://secunia.com/advisories/42733
SLACKWARE http://slackware.com/security/viewer.php?l=slackware-security&y=2010&...
SUSE http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html
UBUNTU http://www.ubuntu.com/usn/USN-884-1
VUPEN http://www.vupen.com/english/advisories/2010/0124
http://www.vupen.com/english/advisories/2010/0839
http://www.vupen.com/english/advisories/2010/0916

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Date Informations
2024-02-02 01:12:04
  • Multiple Updates
2024-02-01 12:03:22
  • Multiple Updates
2023-09-05 12:11:21
  • Multiple Updates
2023-09-05 01:03:13
  • Multiple Updates
2023-09-02 12:11:24
  • Multiple Updates
2023-09-02 01:03:15
  • Multiple Updates
2023-08-12 12:13:24
  • Multiple Updates
2023-08-12 01:03:14
  • Multiple Updates
2023-08-11 12:11:27
  • Multiple Updates
2023-08-11 01:03:22
  • Multiple Updates
2023-08-06 12:11:00
  • Multiple Updates
2023-08-06 01:03:16
  • Multiple Updates
2023-08-04 12:11:05
  • Multiple Updates
2023-08-04 01:03:18
  • Multiple Updates
2023-07-14 12:11:02
  • Multiple Updates
2023-07-14 01:03:16
  • Multiple Updates
2023-03-29 01:12:39
  • Multiple Updates
2023-03-28 12:03:22
  • Multiple Updates
2022-10-11 12:09:50
  • Multiple Updates
2022-10-11 01:03:04
  • Multiple Updates
2021-05-04 12:10:36
  • Multiple Updates
2021-04-22 01:11:05
  • Multiple Updates
2020-05-23 01:41:12
  • Multiple Updates
2020-05-23 00:24:43
  • Multiple Updates
2018-08-14 12:03:14
  • Multiple Updates
2017-09-19 09:23:31
  • Multiple Updates
2016-08-23 09:24:35
  • Multiple Updates
2016-06-28 17:55:29
  • Multiple Updates
2016-04-26 19:19:27
  • Multiple Updates
2016-03-09 13:25:54
  • Multiple Updates
2014-11-27 13:27:39
  • Multiple Updates
2014-02-17 10:52:43
  • Multiple Updates
2013-05-22 00:19:05
  • Multiple Updates
2013-05-11 00:02:47
  • Multiple Updates