NVD

CVE-2009-1377 Detail

Modified After Enrichment

This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.

Description

The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of "future epoch" DTLS records that are buffered in a queue, aka "DTLS record buffer limitation bug."

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: 5.0 MEDIUM

Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Vendor Statements (disclaimer)

Official Statement from Red Hat (09/02/2009)

This issue did not affect versions of openssl as shipped in Red Hat Enterprise Linux 3 and 4. This issue was addressed for Red Hat Enterprise Linux 5 by http://rhn.redhat.com/errata/RHSA-2009-1335.html Note that both the DTLS specification and OpenSSLs implementation is still in development and unlikely to be used in production environments. There is no component shipped in Red Hat Enterprise Linux 5 using OpenSSLs DTLS implementation, except for OpenSSLs testing command line client - openssl.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL	Source(s)	Tag(s)
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc	CVE, Inc., Red Hat	Broken Link Third Party Advisory
http://cvs.openssl.org/chngview?cn=18187	CVE, Inc., Red Hat	Broken Link Patch Third Party Advisory
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444	CVE, Inc., Red Hat	Broken Link Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html	CVE, Inc., Red Hat	Third Party Advisory
http://lists.vmware.com/pipermail/security-announce/2010/000082.html	CVE, Inc., Red Hat	Third Party Advisory
http://marc.info/?l=openssl-dev&m=124247675613888&w=2	CVE, Inc., Red Hat	Mailing List Patch Third Party Advisory
http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest	CVE, Inc., Red Hat	Broken Link Mailing List Patch Third Party Advisory
http://secunia.com/advisories/35128	CVE, Inc., Red Hat	Third Party Advisory Vendor Advisory
http://secunia.com/advisories/35416	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/35461	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/35571	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/35729	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/36533	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/37003	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/38761	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/38794	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/38834	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/42724	CVE, Inc., Red Hat	Third Party Advisory
http://secunia.com/advisories/42733	CVE, Inc., Red Hat	Third Party Advisory
http://security.gentoo.org/glsa/glsa-200912-01.xml	CVE, Inc., Red Hat	Third Party Advisory
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049	CVE, Inc., Red Hat	Mailing List Third Party Advisory
http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net	CVE, Inc., Red Hat	Broken Link
http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html	CVE, Inc., Red Hat	Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2009:120	CVE, Inc., Red Hat	Broken Link
http://www.openwall.com/lists/oss-security/2009/05/18/1	CVE, Inc., Red Hat	Mailing List
http://www.redhat.com/support/errata/RHSA-2009-1335.html	CVE, Inc., Red Hat	Third Party Advisory
http://www.securityfocus.com/bid/35001	CVE, Inc., Red Hat	Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1022241	CVE, Inc., Red Hat	Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-792-1	CVE, Inc., Red Hat	Third Party Advisory
http://www.vupen.com/english/advisories/2009/1377	CVE, Inc., Red Hat	Permissions Required Third Party Advisory
http://www.vupen.com/english/advisories/2010/0528	CVE, Inc., Red Hat	Permissions Required Third Party Advisory
https://kb.bluecoat.com/index?page=content&id=SA50	CVE, Inc., Red Hat	Broken Link
https://launchpad.net/bugs/cve/2009-1377	CVE, Inc., Red Hat	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6683	CVE, Inc., Red Hat	Tool Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9663	CVE, Inc., Red Hat	Tool Signature

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

7 change records found show changes

CVE Modified by CVE 11/20/2024 8:02:20 PM

Action	Type	New Value
Added	Reference	ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc
Added	Reference	http://cvs.openssl.org/chngview?cn=18187
Added	Reference	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
Added	Reference	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
Added	Reference	http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html
Added	Reference	http://lists.vmware.com/pipermail/security-announce/2010/000082.html
Added	Reference	http://marc.info/?l=openssl-dev&m=124247675613888&w=2
Added	Reference	http://rt.openssl.org/Ticket/Display.html?id=1930&user=guest&pass=guest
Added	Reference	http://secunia.com/advisories/35128
Added	Reference	http://secunia.com/advisories/35416
Added	Reference	http://secunia.com/advisories/35461
Added	Reference	http://secunia.com/advisories/35571
Added	Reference	http://secunia.com/advisories/35729
Added	Reference	http://secunia.com/advisories/36533
Added	Reference	http://secunia.com/advisories/37003
Added	Reference	http://secunia.com/advisories/38761
Added	Reference	http://secunia.com/advisories/38794
Added	Reference	http://secunia.com/advisories/38834
Added	Reference	http://secunia.com/advisories/42724
Added	Reference	http://secunia.com/advisories/42733
Added	Reference	http://security.gentoo.org/glsa/glsa-200912-01.xml
Added	Reference	http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049
Added	Reference	http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net
Added	Reference	http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html
Added	Reference	http://www.mandriva.com/security/advisories?name=MDVSA-2009:120
Added	Reference	http://www.openwall.com/lists/oss-security/2009/05/18/1
Added	Reference	http://www.redhat.com/support/errata/RHSA-2009-1335.html
Added	Reference	http://www.securityfocus.com/bid/35001
Added	Reference	http://www.securitytracker.com/id?1022241
Added	Reference	http://www.ubuntu.com/usn/USN-792-1
Added	Reference	http://www.vupen.com/english/advisories/2009/1377
Added	Reference	http://www.vupen.com/english/advisories/2010/0528
Added	Reference	https://kb.bluecoat.com/index?page=content&id=SA50
Added	Reference	https://launchpad.net/bugs/cve/2009-1377
Added	Reference	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6683
Added	Reference	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9663

Modified Analysis by NIST 2/02/2022 10:07:05 AM

Quick Info

CVE Dictionary Entry:
CVE-2009-1377
NVD Published Date:
05/19/2009
NVD Last Modified:
04/22/2026
Source:
Red Hat, Inc.

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2009-1377 Detail

Description

Metrics

Vendor Statements (disclaimer)

Official Statement from Red Hat (09/02/2009)

References to Advisories, Solutions, and Tools

Weakness Enumeration

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Change History

CVE Status Change 4/22/2026 8:35:47 PM

CVE Modified by CVE 11/20/2024 8:02:20 PM

CVE Modified by Red Hat, Inc. 5/13/2024 10:06:10 PM

Reanalysis by NIST 2/07/2024 1:01:50 PM

Modified Analysis by NIST 2/02/2022 10:07:05 AM

CVE Modified by Red Hat, Inc. 9/28/2017 9:34:20 PM

Initial CVE Analysis 5/20/2009 7:59:00 AM

Quick Info