CVE-2009-1536: Input Validation
First published: Wed Aug 12 2009(Updated: )
ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft .NET Framework 4 | =2.0-sp1 | |
| Microsoft .NET Framework 4 | =2.0-sp2 | |
| Microsoft .NET Framework 4 | =3.5 | |
| Microsoft .NET Framework 4 | =3.5-sp1 | |
| Microsoft Windows Server | ||
| Microsoft Windows Vista | ||
| Microsoft Windows Vista | =sp1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx
- http://osvdb.org/56905
- http://secunia.com/advisories/36127
- http://www.securityfocus.com/bid/35985
- http://www.securitytracker.com/id?1022715
- http://www.us-cert.gov/cas/techalerts/TA09-223A.html
- http://www.vupen.com/english/advisories/2009/2231
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-036
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6393
Frequently Asked Questions
What is the severity of CVE-2009-1536?
CVE-2009-1536 is classified as a denial of service vulnerability that can lead to a daemon outage.
How do I fix CVE-2009-1536?
To mitigate CVE-2009-1536, apply the latest service pack or security update for Microsoft .NET Framework.
What platforms are affected by CVE-2009-1536?
CVE-2009-1536 affects Microsoft .NET Framework 2.0 SP1, 2.0 SP2, 3.5 Gold, and 3.5 SP1, as well as IIS 7.0.
What types of attacks does CVE-2009-1536 enable?
CVE-2009-1536 allows remote attackers to disrupt service through a series of crafted HTTP requests.
Is CVE-2009-1536 exploitable without authentication?
Yes, CVE-2009-1536 can be exploited by remote attackers without the need for authentication.
- agent/type
- agent/remedy
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- vendor/microsoft
- canonical/microsoft .net framework 4
- version/microsoft .net framework 4/2.0-sp1
- version/microsoft .net framework 4/2.0-sp2
- version/microsoft .net framework 4/3.5
- version/microsoft .net framework 4/3.5-sp1
- canonical/microsoft windows server
- canonical/microsoft windows vista
- version/microsoft windows vista/sp1