CVE-2009-1386

2009-06-0416:30:00

CWE-476

[email protected]

web.nvd.nist.gov

cve-2009-1386

ssl

openssl

denial of service

null pointer dereference

daemon crash

dtls

changecipherspec packet

clienthello

6.4 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.065 Low

EPSS

Percentile

93.7%

JSON

ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.

CPENameOperatorVersion
openssl:opensslopenssllt0.9.8i
redhat:opensslredhat openssleq0.9.6-15
redhat:opensslredhat openssleq0.9.6b-3
redhat:opensslredhat openssleq0.9.7a-2
canonical:ubuntu_linuxcanonical ubuntu linuxeq9.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq6.06

CPE	Name	Operator	Version
openssl:openssl	openssl	lt	0.9.8i
redhat:openssl	redhat openssl	eq	0.9.6-15
redhat:openssl	redhat openssl	eq	0.9.6b-3
redhat:openssl	redhat openssl	eq	0.9.7a-2
canonical:ubuntu_linux	canonical ubuntu linux	eq	9.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	8.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	8.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	6.06