National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2009-0590 Detail

Description

The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.

Source:  MITRE      Last Modified:  03/27/2009

Quick Info

CVE Dictionary Entry:
CVE-2009-0590
Original release date:
03/27/2009
Last revised:
09/28/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
5.0 MEDIUM
Vector:
(AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)
Impact Subscore:
2.9
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Red Hat (03/25/2010)

This issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2009-1335.html This issue was fixed in openssl packages in Red Hat Enterprise Linux 3 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0163.html

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-008.txt.asc External Source NETBSD NetBSD-SA2009-008
http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html External Source APPLE APPLE-SA-2009-09-10-2
http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html External Source SUSE SUSE-SR:2009:010
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html External Source SUSE openSUSE-SU-2011:0845
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html External Source SUSE SUSE-SU-2011:0847
http://lists.vmware.com/pipermail/security-announce/2010/000082.html External Source MLIST [security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates
http://marc.info/?l=bugtraq&m=124464882609472&w=2 External Source HP HPSBUX02435
http://marc.info/?l=bugtraq&m=125017764422557&w=2 External Source HP HPSBMA02447
http://marc.info/?l=bugtraq&m=127678688104458&w=2 External Source HP HPSBOV02540
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:08.openssl.asc External Source FREEBSD FreeBSD-SA-09:08
http://securitytracker.com/id?1021905 External Source SECTRACK 1021905
http://sourceforge.net/project/shownotes.php?release_id=671059&group_id=116847 Patch External Source CONFIRM http://sourceforge.net/project/shownotes.php?release_id=671059&group_id=116847
http://sunsolve.sun.com/search/document.do?assetkey=1-26-258048-1 External Source SUNALERT 258048
http://support.apple.com/kb/HT3865 External Source CONFIRM http://support.apple.com/kb/HT3865
http://support.avaya.com/elmodocs2/security/ASA-2009-172.htm External Source CONFIRM http://support.avaya.com/elmodocs2/security/ASA-2009-172.htm
http://voodoo-circle.sourceforge.net/sa/sa-20090326-01.html External Source CONFIRM http://voodoo-circle.sourceforge.net/sa/sa-20090326-01.html
http://wiki.rpath.com/Advisories:rPSA-2009-0057 External Source CONFIRM http://wiki.rpath.com/Advisories:rPSA-2009-0057
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0057 External Source MISC http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0057
http://www.debian.org/security/2009/dsa-1763 External Source DEBIAN DSA-1763
http://www.mandriva.com/security/advisories?name=MDVSA-2009:087 External Source MANDRIVA MDVSA-2009:087
http://www.openssl.org/news/secadv_20090325.txt Vendor Advisory External Source CONFIRM http://www.openssl.org/news/secadv_20090325.txt
http://www.php.net/archive/2009.php#id2009-04-08-1 External Source CONFIRM http://www.php.net/archive/2009.php#id2009-04-08-1
http://www.redhat.com/support/errata/RHSA-2009-1335.html External Source REDHAT RHSA-2009:1335
http://www.securityfocus.com/archive/1/archive/1/502429/100/0/threaded External Source BUGTRAQ 20090403 rPSA-2009-0057-1 m2crypto openssl openssl-scripts
http://www.securityfocus.com/archive/1/archive/1/515055/100/0/threaded External Source BUGTRAQ 20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console
http://www.securityfocus.com/bid/34256 Patch External Source BID 34256
http://www.ubuntu.com/usn/usn-750-1 External Source UBUNTU USN-750-1
http://www.vmware.com/security/advisories/VMSA-2010-0019.html External Source CONFIRM http://www.vmware.com/security/advisories/VMSA-2010-0019.html
http://www.vupen.com/english/advisories/2009/0850 Patch; Vendor Advisory External Source VUPEN ADV-2009-0850
http://www.vupen.com/english/advisories/2009/1020 External Source VUPEN ADV-2009-1020
http://www.vupen.com/english/advisories/2009/1175 External Source VUPEN ADV-2009-1175
http://www.vupen.com/english/advisories/2009/1220 External Source VUPEN ADV-2009-1220
http://www.vupen.com/english/advisories/2009/1548 External Source VUPEN ADV-2009-1548
http://www.vupen.com/english/advisories/2010/0528 External Source VUPEN ADV-2010-0528
http://www.vupen.com/english/advisories/2010/3126 External Source VUPEN ADV-2010-3126
https://exchange.xforce.ibmcloud.com/vulnerabilities/49431 External Source XF openssl-asn1-stringprintex-dos(49431)
https://kb.bluecoat.com/index?page=content&id=SA50 External Source CONFIRM https://kb.bluecoat.com/index?page=content&id=SA50
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html External Source MLIST [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html External Source MLIST [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10198 External Source OVAL oval:org.mitre.oval:def:10198
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6996 External Source OVAL oval:org.mitre.oval:def:6996

References to Check Content

Identifier:
oval:org.mitre.oval:def:10198
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10198
Identifier:
oval:org.mitre.oval:def:6996
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6996

Technical Details

Vulnerability Type (View All)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:openssl:openssl:*:*:openvms:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.3:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.3a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.5:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.5:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.5a:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.5a:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6a:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6a:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6a:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.6m:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7:beta4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7:beta5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7:beta6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.7l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:0.9.8i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*    versions up to (including) 0.9.8j

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 5 change records found - show changes