CVE-2009-1387

2009-06-0416:30:00

CWE-476

[email protected]

web.nvd.nist.gov

openssl

cve-2009-1387

security

denial of service

remote attackers

out-of-sequence

dtls

handshake

vulnerability

6.4 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.037 Low

EPSS

Percentile

91.7%

JSON

The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a “fragment bug.”

CPENameOperatorVersion
openssl:opensslopenssllt0.9.8m
redhat:opensslredhat openssleq0.9.6-15
redhat:opensslredhat openssleq0.9.6b-3
redhat:opensslredhat openssleq0.9.7a-2
canonical:ubuntu_linuxcanonical ubuntu linuxeq9.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.10
canonical:ubuntu_linuxcanonical ubuntu linuxeq8.04
canonical:ubuntu_linuxcanonical ubuntu linuxeq6.06

CPE	Name	Operator	Version
openssl:openssl	openssl	lt	0.9.8m
redhat:openssl	redhat openssl	eq	0.9.6-15
redhat:openssl	redhat openssl	eq	0.9.6b-3
redhat:openssl	redhat openssl	eq	0.9.7a-2
canonical:ubuntu_linux	canonical ubuntu linux	eq	9.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	8.10
canonical:ubuntu_linux	canonical ubuntu linux	eq	8.04
canonical:ubuntu_linux	canonical ubuntu linux	eq	6.06