CVE-2009-2409
First published: Thu Jul 30 2009(Updated: )
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/nss | 2:3.42.1-1+deb10u5 2:3.42.1-1+deb10u7 2:3.61-1+deb11u3 2:3.87.1-1 2:3.94-1 | |
| debian/openssl | 1.1.1n-0+deb10u3 1.1.1n-0+deb10u6 1.1.1w-0+deb11u1 1.1.1n-0+deb11u5 3.0.11-1~deb12u1 3.0.11-1~deb12u2 3.0.11-1 3.1.4-2 | |
| OpenSSL libcrypto | =0.9.8b | |
| OpenSSL libcrypto | =0.9.8c | |
| OpenSSL libcrypto | =0.9.8e | |
| OpenSSL libcrypto | =0.9.8g | |
| OpenSSL libcrypto | =0.9.8k | |
| OpenSSL libcrypto | =0.9.8d | |
| OpenSSL libcrypto | =0.9.8j | |
| OpenSSL libcrypto | =0.9.8a | |
| OpenSSL libcrypto | =0.9.8 | |
| OpenSSL libcrypto | =0.9.8i | |
| OpenSSL libcrypto | =0.9.8f | |
| OpenSSL libcrypto | =0.9.8h | |
| Debian GnuTLS | =2.3.5 | |
| Debian GnuTLS | =1.6.0 | |
| Debian GnuTLS | =2.0.0 | |
| Debian GnuTLS | =1.5.0 | |
| Debian GnuTLS | =1.2.8 | |
| Debian GnuTLS | =1.1.14 | |
| Debian GnuTLS | =2.3.4 | |
| Debian GnuTLS | =1.7.3 | |
| Debian GnuTLS | =2.7.4 | |
| Debian GnuTLS | =1.4.1 | |
| Debian GnuTLS | =1.4.3 | |
| Debian GnuTLS | =2.6.1 | |
| Debian GnuTLS | =1.2.11 | |
| Debian GnuTLS | =1.1.21 | |
| Debian GnuTLS | =1.7.5 | |
| Debian GnuTLS | =1.7.11 | |
| Debian GnuTLS | =1.0.20 | |
| Debian GnuTLS | =1.2.5 | |
| Debian GnuTLS | =2.2.4 | |
| Debian GnuTLS | =1.0.17 | |
| Debian GnuTLS | =1.2.4 | |
| Debian GnuTLS | =1.3.1 | |
| Debian GnuTLS | =1.0.24 | |
| Debian GnuTLS | =1.7.15 | |
| Debian GnuTLS | =1.6.1 | |
| Debian GnuTLS | =1.0.21 | |
| Debian GnuTLS | =1.4.2 | |
| Debian GnuTLS | <=2.6.3 | |
| Debian GnuTLS | =1.7.8 | |
| Debian GnuTLS | =1.7.0 | |
| Debian GnuTLS | =2.1.0 | |
| Debian GnuTLS | =2.3.1 | |
| Debian GnuTLS | =1.0.16 | |
| Debian GnuTLS | =2.2.5 | |
| Debian GnuTLS | =2.1.1 | |
| Debian GnuTLS | =2.3.8 | |
| Debian GnuTLS | =1.7.18 | |
| Debian GnuTLS | =1.1.20 | |
| Debian GnuTLS | =2.1.7 | |
| Debian GnuTLS | =2.1.4 | |
| Debian GnuTLS | =1.2.10 | |
| Debian GnuTLS | =1.5.3 | |
| Debian GnuTLS | =1.1.22 | |
| Debian GnuTLS | =1.6.3 | |
| Debian GnuTLS | =2.6.0 | |
| Debian GnuTLS | =2.1.6 | |
| Debian GnuTLS | =1.4.5 | |
| Debian GnuTLS | =1.5.1 | |
| Debian GnuTLS | =1.4.0 | |
| Debian GnuTLS | =1.7.4 | |
| Debian GnuTLS | =1.7.13 | |
| Debian GnuTLS | =2.3.2 | |
| Debian GnuTLS | =2.3.9 | |
| Debian GnuTLS | =2.2.2 | |
| Debian GnuTLS | =2.2.0 | |
| Debian GnuTLS | =2.3.11 | |
| Debian GnuTLS | =1.3.4 | |
| Debian GnuTLS | =2.5.0 | |
| Debian GnuTLS | =2.6.2 | |
| Debian GnuTLS | =1.0.19 | |
| Debian GnuTLS | =1.7.2 | |
| Debian GnuTLS | =1.2.1 | |
| Debian GnuTLS | =1.1.19 | |
| Debian GnuTLS | =2.0.4 | |
| Debian GnuTLS | =1.1.18 | |
| Debian GnuTLS | =1.5.4 | |
| Debian GnuTLS | =1.7.9 | |
| Debian GnuTLS | =2.4.0 | |
| Debian GnuTLS | =2.1.3 | |
| Debian GnuTLS | =2.4.1 | |
| Debian GnuTLS | =1.7.10 | |
| Debian GnuTLS | =1.1.13 | |
| Debian GnuTLS | =1.2.8.1a1 | |
| Debian GnuTLS | =2.3.7 | |
| Debian GnuTLS | =2.0.3 | |
| Debian GnuTLS | =1.2.2 | |
| Debian GnuTLS | =1.7.19 | |
| Debian GnuTLS | =1.5.5 | |
| Debian GnuTLS | =1.2.0 | |
| Debian GnuTLS | =1.0.18 | |
| Debian GnuTLS | =1.2.7 | |
| Debian GnuTLS | =1.3.2 | |
| Debian GnuTLS | =1.0.25 | |
| Debian GnuTLS | =1.1.15 | |
| Debian GnuTLS | =2.1.2 | |
| Debian GnuTLS | =1.0.23 | |
| Debian GnuTLS | =2.4.2 | |
| Debian GnuTLS | =1.3.0 | |
| Debian GnuTLS | =1.3.5 | |
| Debian GnuTLS | =1.7.14 | |
| Debian GnuTLS | =1.1.23 | |
| Debian GnuTLS | =1.2.3 | |
| Debian GnuTLS | =1.2.6 | |
| Debian GnuTLS | =2.3.6 | |
| Debian GnuTLS | =1.2.9 | |
| Debian GnuTLS | =1.7.17 | |
| Debian GnuTLS | =2.3.3 | |
| Debian GnuTLS | =2.1.8 | |
| Debian GnuTLS | =1.7.7 | |
| Debian GnuTLS | =2.0.1 | |
| Debian GnuTLS | =1.7.6 | |
| Debian GnuTLS | =2.2.1 | |
| Debian GnuTLS | =2.1.5 | |
| Debian GnuTLS | =1.7.1 | |
| Debian GnuTLS | =1.5.2 | |
| Debian GnuTLS | =1.7.16 | |
| Debian GnuTLS | =1.7.12 | |
| Debian GnuTLS | =1.1.16 | |
| Debian GnuTLS | =2.3.10 | |
| Debian GnuTLS | =1.0.22 | |
| Debian GnuTLS | =2.0.2 | |
| Debian GnuTLS | =2.3.0 | |
| Debian GnuTLS | =1.6.2 | |
| Debian GnuTLS | =2.2.3 | |
| Debian GnuTLS | =1.4.4 | |
| Debian GnuTLS | =1.1.17 | |
| Debian GnuTLS | =1.3.3 | |
| Mozilla Firefox | ||
| Mozilla Network Security Services (NSS) | <=3.12.2 | |
| Mozilla Network Security Services (NSS) | =3.0 | |
| Mozilla Network Security Services (NSS) | =3.2 | |
| Mozilla Network Security Services (NSS) | =3.2.1 | |
| Mozilla Network Security Services (NSS) | =3.3 | |
| Mozilla Network Security Services (NSS) | =3.3.1 | |
| Mozilla Network Security Services (NSS) | =3.3.2 | |
| Mozilla Network Security Services (NSS) | =3.4 | |
| Mozilla Network Security Services (NSS) | =3.4.1 | |
| Mozilla Network Security Services (NSS) | =3.4.2 | |
| Mozilla Network Security Services (NSS) | =3.4.3 | |
| Mozilla Network Security Services (NSS) | =3.5 | |
| Mozilla Network Security Services (NSS) | =3.6 | |
| Mozilla Network Security Services (NSS) | =3.6.1 | |
| Mozilla Network Security Services (NSS) | =3.7 | |
| Mozilla Network Security Services (NSS) | =3.7.1 | |
| Mozilla Network Security Services (NSS) | =3.7.2 | |
| Mozilla Network Security Services (NSS) | =3.7.3 | |
| Mozilla Network Security Services (NSS) | =3.7.5 | |
| Mozilla Network Security Services (NSS) | =3.7.7 | |
| Mozilla Network Security Services (NSS) | =3.8 | |
| Mozilla Network Security Services (NSS) | =3.9 | |
| Mozilla Network Security Services (NSS) | =3.9.5 | |
| Mozilla Network Security Services (NSS) | =3.10 | |
| Mozilla Network Security Services (NSS) | =3.11.2 | |
| Mozilla Network Security Services (NSS) | =3.11.4 | |
| Mozilla Network Security Services (NSS) | =3.11.7 | |
| Mozilla Network Security Services (NSS) | =3.11.8 | |
| Mozilla Network Security Services (NSS) | =3.12 | |
| Mozilla Network Security Services (NSS) | =3.12.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2409
- http://www.ubuntu.com/usn/usn-810-1
- http://www.vupen.com/english/advisories/2009/2085
- http://www.securitytracker.com/id?1022631
- http://secunia.com/advisories/36139
- http://secunia.com/advisories/36157
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:197
- http://www.redhat.com/support/errata/RHSA-2009-1207.html
- http://www.redhat.com/support/errata/RHSA-2009-1432.html
- http://secunia.com/advisories/36739
- http://secunia.com/advisories/36434
- http://www.debian.org/security/2009/dsa-1874
- http://java.sun.com/javase/6/webnotes/6u17.html
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.html
- http://support.apple.com/kb/HT3937
- http://www.vupen.com/english/advisories/2009/3184
- http://security.gentoo.org/glsa/glsa-200911-02.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:216
- http://secunia.com/advisories/37386
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:258
- http://security.gentoo.org/glsa/glsa-200912-01.xml
- https://rhn.redhat.com/errata/RHSA-2010-0095.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:084
- http://www.vupen.com/english/advisories/2010/3126
- http://secunia.com/advisories/42467
- http://www.vmware.com/security/advisories/VMSA-2010-0019.html
- https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html
- https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html
- http://secunia.com/advisories/36669
- https://www.debian.org/security/2009/dsa-1888
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8594
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7155
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6631
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10763
- https://usn.ubuntu.com/810-2/
- http://www.securityfocus.com/archive/1/515055/100/0/threaded
- https://security-tracker.debian.org/tracker/CVE-2009-2409
Frequently Asked Questions
What is the severity of CVE-2009-2409?
CVE-2009-2409 is classified as a critical vulnerability due to its ability to allow remote attackers to spoof certificates.
How do I fix CVE-2009-2409?
To mitigate CVE-2009-2409, update the NSS library to version 3.12.3 or higher, OpenSSL to version 0.9.8k or higher, or use patched versions of affected software.
Which software is affected by CVE-2009-2409?
CVE-2009-2409 affects the NSS library, OpenSSL, and GnuTLS along with any applications that rely on these libraries.
What types of attacks are possible due to CVE-2009-2409?
CVE-2009-2409 allows attackers to spoof certificates, which can facilitate man-in-the-middle attacks and impersonation.
When was CVE-2009-2409 published?
CVE-2009-2409 was published on July 6, 2009.
- collector/security-tracker-debian
- agent/type
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- agent/author
- package-manager/debian
- vendor/openssl
- canonical/openssl libcrypto
- version/openssl libcrypto/0.9.8b
- version/openssl libcrypto/0.9.8c
- version/openssl libcrypto/0.9.8e
- version/openssl libcrypto/0.9.8g
- version/openssl libcrypto/0.9.8k
- version/openssl libcrypto/0.9.8d
- version/openssl libcrypto/0.9.8j
- version/openssl libcrypto/0.9.8a
- version/openssl libcrypto/0.9.8
- version/openssl libcrypto/0.9.8i
- version/openssl libcrypto/0.9.8f
- version/openssl libcrypto/0.9.8h
- vendor/gnu
- canonical/debian gnutls
- version/debian gnutls/2.3.5
- version/debian gnutls/1.6.0
- version/debian gnutls/2.0.0
- version/debian gnutls/1.5.0
- version/debian gnutls/1.2.8
- version/debian gnutls/1.1.14
- version/debian gnutls/2.3.4
- version/debian gnutls/1.7.3
- version/debian gnutls/2.7.4
- version/debian gnutls/1.4.1
- version/debian gnutls/1.4.3
- version/debian gnutls/2.6.1
- version/debian gnutls/1.2.11
- version/debian gnutls/1.1.21
- version/debian gnutls/1.7.5
- version/debian gnutls/1.7.11
- version/debian gnutls/1.0.20
- version/debian gnutls/1.2.5
- version/debian gnutls/2.2.4
- version/debian gnutls/1.0.17
- version/debian gnutls/1.2.4
- version/debian gnutls/1.3.1
- version/debian gnutls/1.0.24
- version/debian gnutls/1.7.15
- version/debian gnutls/1.6.1
- version/debian gnutls/1.0.21
- version/debian gnutls/1.4.2
- version/debian gnutls/2.6.3
- version/debian gnutls/1.7.8
- version/debian gnutls/1.7.0
- version/debian gnutls/2.1.0
- version/debian gnutls/2.3.1
- version/debian gnutls/1.0.16
- version/debian gnutls/2.2.5
- version/debian gnutls/2.1.1
- version/debian gnutls/2.3.8
- version/debian gnutls/1.7.18
- version/debian gnutls/1.1.20
- version/debian gnutls/2.1.7
- version/debian gnutls/2.1.4
- version/debian gnutls/1.2.10
- version/debian gnutls/1.5.3
- version/debian gnutls/1.1.22
- version/debian gnutls/1.6.3
- version/debian gnutls/2.6.0
- version/debian gnutls/2.1.6
- version/debian gnutls/1.4.5
- version/debian gnutls/1.5.1
- version/debian gnutls/1.4.0
- version/debian gnutls/1.7.4
- version/debian gnutls/1.7.13
- version/debian gnutls/2.3.2
- version/debian gnutls/2.3.9
- version/debian gnutls/2.2.2
- version/debian gnutls/2.2.0
- version/debian gnutls/2.3.11
- version/debian gnutls/1.3.4
- version/debian gnutls/2.5.0
- version/debian gnutls/2.6.2
- version/debian gnutls/1.0.19
- version/debian gnutls/1.7.2
- version/debian gnutls/1.2.1
- version/debian gnutls/1.1.19
- version/debian gnutls/2.0.4
- version/debian gnutls/1.1.18
- version/debian gnutls/1.5.4
- version/debian gnutls/1.7.9
- version/debian gnutls/2.4.0
- version/debian gnutls/2.1.3
- version/debian gnutls/2.4.1
- version/debian gnutls/1.7.10
- version/debian gnutls/1.1.13
- version/debian gnutls/1.2.8.1a1
- version/debian gnutls/2.3.7
- version/debian gnutls/2.0.3
- version/debian gnutls/1.2.2
- version/debian gnutls/1.7.19
- version/debian gnutls/1.5.5
- version/debian gnutls/1.2.0
- version/debian gnutls/1.0.18
- version/debian gnutls/1.2.7
- version/debian gnutls/1.3.2
- version/debian gnutls/1.0.25
- version/debian gnutls/1.1.15
- version/debian gnutls/2.1.2
- version/debian gnutls/1.0.23
- version/debian gnutls/2.4.2
- version/debian gnutls/1.3.0
- version/debian gnutls/1.3.5
- version/debian gnutls/1.7.14
- version/debian gnutls/1.1.23
- version/debian gnutls/1.2.3
- version/debian gnutls/1.2.6
- version/debian gnutls/2.3.6
- version/debian gnutls/1.2.9
- version/debian gnutls/1.7.17
- version/debian gnutls/2.3.3
- version/debian gnutls/2.1.8
- version/debian gnutls/1.7.7
- version/debian gnutls/2.0.1
- version/debian gnutls/1.7.6
- version/debian gnutls/2.2.1
- version/debian gnutls/2.1.5
- version/debian gnutls/1.7.1
- version/debian gnutls/1.5.2
- version/debian gnutls/1.7.16
- version/debian gnutls/1.7.12
- version/debian gnutls/1.1.16
- version/debian gnutls/2.3.10
- version/debian gnutls/1.0.22
- version/debian gnutls/2.0.2
- version/debian gnutls/2.3.0
- version/debian gnutls/1.6.2
- version/debian gnutls/2.2.3
- version/debian gnutls/1.4.4
- version/debian gnutls/1.1.17
- version/debian gnutls/1.3.3
- vendor/mozilla
- canonical/mozilla firefox
- canonical/mozilla network security services (nss)
- version/mozilla network security services (nss)/3.12.2
- version/mozilla network security services (nss)/3.0
- version/mozilla network security services (nss)/3.2
- version/mozilla network security services (nss)/3.2.1
- version/mozilla network security services (nss)/3.3
- version/mozilla network security services (nss)/3.3.1
- version/mozilla network security services (nss)/3.3.2
- version/mozilla network security services (nss)/3.4
- version/mozilla network security services (nss)/3.4.1
- version/mozilla network security services (nss)/3.4.2
- version/mozilla network security services (nss)/3.4.3
- version/mozilla network security services (nss)/3.5
- version/mozilla network security services (nss)/3.6
- version/mozilla network security services (nss)/3.6.1
- version/mozilla network security services (nss)/3.7
- version/mozilla network security services (nss)/3.7.1
- version/mozilla network security services (nss)/3.7.2
- version/mozilla network security services (nss)/3.7.3
- version/mozilla network security services (nss)/3.7.5
- version/mozilla network security services (nss)/3.7.7
- version/mozilla network security services (nss)/3.8
- version/mozilla network security services (nss)/3.9
- version/mozilla network security services (nss)/3.9.5
- version/mozilla network security services (nss)/3.10
- version/mozilla network security services (nss)/3.11.2
- version/mozilla network security services (nss)/3.11.4
- version/mozilla network security services (nss)/3.11.7
- version/mozilla network security services (nss)/3.11.8
- version/mozilla network security services (nss)/3.12
- version/mozilla network security services (nss)/3.12.1