Vulnerability Details : CVE-2009-3245
OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2009-3245
Probability of exploitation activity in the next 30 days: 1.24%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 84 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2009-3245
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2009-3245
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
Vendor statements for CVE-2009-3245
-
Red Hat 2010-03-25Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2009-3245 This issue was fixed in openssl packages in Red Hat Enterprise Linux 5 via: https://rhn.redhat.com/errata/RHSA-2010-0162.html This issue was fixed in openssl096b packages in Red Hat Enterprise Linux 3 and 4 via: https://rhn.redhat.com/errata/RHSA-2010-0173.html The Red Hat Security Response Team has rated this issue as having low security impact on openssl packages in Red Hat Enterprise Linux 3 and 4, a future update may address this flaw.
-
http://www.vupen.com/english/advisories/2010/0916
Webmail | OVH- OVH
-
http://marc.info/?l=openssl-cvs&m=126692170906712&w=2
Patch
-
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:013
-
http://marc.info/?l=openssl-cvs&m=126692159706582&w=2
Patch
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11738
- http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html
[SECURITY] Fedora 13 Update: openssl-1.0.0-1.fc13
- https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html
-
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049
The Slackware Linux Project: Slackware Security Advisories
-
http://www.vupen.com/english/advisories/2010/0839
Webmail | OVH- OVH
-
http://www.securityfocus.com/bid/38562
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9790
-
http://support.apple.com/kb/HT4723
About the security content of Mac OS X v10.6.8 and Security Update 2011-004 - Apple Support
- http://marc.info/?l=bugtraq&m=127678688104458&w=2
- https://kb.bluecoat.com/index?page=content&id=SA50
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:076
mandriva.com
- https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html
-
http://marc.info/?l=openssl-cvs&m=126692180606861&w=2
Patch
-
http://www.redhat.com/support/errata/RHSA-2010-0977.html
Support
-
http://www.vupen.com/english/advisories/2010/1216
Webmail | OVH- OVH
-
http://marc.info/?l=bugtraq&m=127128920008563&w=2
'[security bulletin] HPSBUX02517 SSRT100058 rev.1 - HP-UX Running OpenSSL, Remote Unauthorized Inform' - MARC
-
http://www.ubuntu.com/usn/USN-1003-1
USN-1003-1: OpenSSL vulnerabilities | Ubuntu security notices
-
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html
[SECURITY] Fedora 11 Update: openssl-0.9.8n-1.fc11
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6640
-
http://www.vupen.com/english/advisories/2010/0933
Webmail | OVH- OVH
-
http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html
Apple - Lists.apple.com
-
http://www.redhat.com/support/errata/RHSA-2011-0896.html
Support
-
http://packetstormsecurity.com/files/153392/ABB-HMI-Outdated-Software-Components.html
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8k:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8j:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.8h:*:*:*:*:*:*:*