CVE-2009-2409 — MEDIUM (5.1)

Q: How severe is CVE-2009-2409?

CVE-2009-2409 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2009-2409?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls, Mozilla Network Security Services, Openssl Openssl.

Vulnerability Description

The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.

CVSS Score

5.1

MEDIUM

AV:N/AC:H/Au:N/C:P/I:P/A:P

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Gnu	Gnutls	< 2.6.4
Mozilla	Network Security Services	< 3.12.3
Openssl	Openssl	>= 0.9.8, <= 0.9.8k

Related Weaknesses (CWE)

CWE-295

References

http://java.sun.com/j2se/1.5.0/ReleaseNotes.htmlPatch
http://java.sun.com/javase/6/webnotes/6u17.htmlRelease Notes
http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.htmlVendor Advisory
http://secunia.com/advisories/36139Vendor Advisory
http://secunia.com/advisories/36157Vendor Advisory
http://secunia.com/advisories/36434Vendor Advisory
http://secunia.com/advisories/36669Not Applicable
http://secunia.com/advisories/36739Not Applicable
http://secunia.com/advisories/37386Not Applicable
http://secunia.com/advisories/42467Not Applicable
http://security.gentoo.org/glsa/glsa-200911-02.xmlThird Party Advisory
http://security.gentoo.org/glsa/glsa-200912-01.xmlThird Party Advisory
http://support.apple.com/kb/HT3937Broken Link
http://www.debian.org/security/2009/dsa-1874Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2009:197Not Applicable

FAQ

What is CVE-2009-2409?

CVE-2009-2409 is a vulnerability with a CVSS score of 5.1 (MEDIUM). The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, whic...

How severe is CVE-2009-2409?

CVE-2009-2409 has been rated MEDIUM with a CVSS base score of 5.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2009-2409?

Check the references section above for vendor advisories and patch information. Affected products include: Gnu Gnutls, Mozilla Network Security Services, Openssl Openssl.