National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2009-3245 Detail

Description

OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.

Source:  MITRE      Last Modified:  03/05/2010

Quick Info

CVE Dictionary Entry:
CVE-2009-3245
Original release date:
03/05/2010
Last revised:
09/18/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
10.0 HIGH
Vector:
(AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore:
10.0
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Vendor Statements (disclaimer)

Official Statement from Red Hat (03/25/2010)

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3245 This issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0162.html This issue was fixed in openssl096b packages in Red Hat Enterprise Linux 3 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0173.html The Red Hat Security Response Team has rated this issue as having low security impact on openssl packages in Red Hat Enterprise Linux 3 and 4, a future update may address this flaw.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc External Source CONFIRM http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html External Source APPLE APPLE-SA-2011-06-23-1
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html External Source FEDORA FEDORA-2010-5744
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html External Source FEDORA FEDORA-2010-5357
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html External Source SUSE SUSE-SR:2010:013
http://marc.info/?l=bugtraq&m=127128920008563&w=2 External Source HP SSRT100058
http://marc.info/?l=bugtraq&m=127678688104458&w=2 External Source HP HPSBOV02540
http://marc.info/?l=openssl-cvs&m=126692159706582&w=2 Patch External Source MLIST [openssl-cvs] 20100223 OpenSSL: OpenSSL_1_0_0-stable: openssl/crypto/bn/ bn_div.c bn_gf...
http://marc.info/?l=openssl-cvs&m=126692170906712&w=2 Patch External Source MLIST [openssl-cvs] 20100223 OpenSSL: openssl/crypto/bn/ bn_div.c bn_gf2m.c openssl/crypto/ec...
http://marc.info/?l=openssl-cvs&m=126692180606861&w=2 Patch External Source MLIST [openssl-cvs] 20100223 OpenSSL: OpenSSL_0_9_8-stable: openssl/ CHANGES openssl/crypto/b...
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049 External Source SLACKWARE SSA:2010-060-02
http://support.apple.com/kb/HT4723 External Source CONFIRM http://support.apple.com/kb/HT4723
http://www.mandriva.com/security/advisories?name=MDVSA-2010:076 External Source MANDRIVA MDVSA-2010:076
http://www.redhat.com/support/errata/RHSA-2010-0977.html External Source REDHAT RHSA-2010:0977
http://www.redhat.com/support/errata/RHSA-2011-0896.html External Source REDHAT RHSA-2011:0896
http://www.securityfocus.com/bid/38562 External Source BID 38562
http://www.ubuntu.com/usn/USN-1003-1 External Source UBUNTU USN-1003-1
http://www.vupen.com/english/advisories/2010/0839 External Source VUPEN ADV-2010-0839
http://www.vupen.com/english/advisories/2010/0916 External Source VUPEN ADV-2010-0916
http://www.vupen.com/english/advisories/2010/0933 External Source VUPEN ADV-2010-0933
http://www.vupen.com/english/advisories/2010/1216 External Source VUPEN ADV-2010-1216
https://kb.bluecoat.com/index?page=content&id=SA50 External Source CONFIRM https://kb.bluecoat.com/index?page=content&id=SA50
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html External Source MLIST [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html External Source MLIST [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11738 External Source OVAL oval:org.mitre.oval:def:11738
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6640 External Source OVAL oval:org.mitre.oval:def:6640
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9790 External Source OVAL oval:org.mitre.oval:def:9790

References to Check Content

Identifier:
oval:org.mitre.oval:def:11738
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11738
Identifier:
oval:org.mitre.oval:def:6640
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6640
Identifier:
oval:org.mitre.oval:def:9790
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9790

Technical Details

Vulnerability Type (View All)

Change History 4 change records found - show changes