CVE-2009-3555

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8l GnuTLS versions prior to 2.8.5 Apache HTTP Server versions prior to 2.2.14 Microsoft Internet Information Services (IIS) 7.0 OpenVPN versions prior to 2.3.1 Mozilla Network Security Services (NSS) versions prior to 3.12.4 Multiple Cisco products (affected versions not specified) HP Integrated Lights-Out iLO2 and iLO3 (affected versions not specified) FortiOS (affected versions not specified) Apache Tomcat versions prior to 7.0.10, 6.0.32, and 5.5.33 Oracle (affected versions not specified) openSUSE (multiple packages, affected versions not specified) Red Hat Enterprise Linux (multiple packages, affected versions not specified) CentOS (affected versions not specified) Gentoo Linux (multiple packages, affected versions not specified) SUSE Linux Enterprise (multiple packages, affected versions not specified)

Description The vulnerability exists in the TLS/SSL protocol and can be exploited by an unauthenticated, remote attacker to conduct a man-in-the-middle attack. This can be done by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, allowing the attacker to insert data into HTTPS sessions. The attacker can also intercept traffic from a client to a TLS server and appear to authenticate the client to what the client thinks is the desired TLS server. However, the attacker would not be able to view the contents of the session and would only be able to inject data or requests into it.

Recommendations For OpenSSL versions prior to 0.9.8l, update to version 0.9.8l or later. For GnuTLS versions prior to 2.8.5, update to version 2.8.5 or later. For Apache HTTP Server versions prior to 2.2.14, update to version 2.2.14 or later. For Microsoft Internet Information Services (IIS) 7.0, apply the security update provided by Microsoft. For OpenVPN versions prior to 2.3.1, update to version 2.3.1 or later. For Mozilla Network Security Services (NSS) versions prior to 3.12.4, update to version 3.12.4 or later. For HP Integrated Lights-Out iLO2 and iLO3, apply the security update provided by HP. For FortiOS, enable secure renegotiation on the SSL Deep-Inspection. For Apache Tomcat versions prior to 7.0.10, 6.0.32, and 5.5.33, update to version 7.0.10, 6.0.32, or 5.5.33 or later. For Oracle, apply the security update provided by Oracle. For openSUSE, Red Hat Enterprise Linux, CentOS, Gentoo Linux, and SUSE Linux Enterprise, update the affected packages to the latest versions. As a temporary workaround, consider disabling the renegotiation feature in the TLS/SSL protocol until a patch is available. Restrict access to the vulnerable servers and services to minimize the risk of exploitation. Avoid using the vulnerable TLS/SSL protocol versions until the issue is resolved.