Back to search
CVE-2009-3555
Published: Nov 9, 2009
Modified: May 27, 2026
PUBLISHED
Description
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
APPLE-SA-2010-05-18-1
vendor-advisory
x_refsource_APPLE
1023427
vdb-entry
x_refsource_SECTRACK
http://support.avaya.com/css/P8/documents/100081611
x_refsource_CONFIRM
62210
vdb-entry
x_refsource_OSVDB
37640
third-party-advisory
x_refsource_SECUNIA
http://www.arubanetworks.com/support/alerts/aid-020810.txt
x_refsource_CONFIRM
ADV-2010-0916
vdb-entry
x_refsource_VUPEN
http://support.avaya.com/css/P8/documents/100114327
x_refsource_CONFIRM
RHSA-2010:0167
vendor-advisory
x_refsource_REDHAT
ADV-2010-2010
vdb-entry
x_refsource_VUPEN
FEDORA-2009-12750
vendor-advisory
x_refsource_FEDORA
ADV-2010-0086
vdb-entry
x_refsource_VUPEN
ADV-2010-1673
vdb-entry
x_refsource_VUPEN
[tls] 20091104 TLS renegotiation issue
mailing-list
x_refsource_MLIST
37656
third-party-advisory
x_refsource_SECUNIA
RHSA-2010:0865
vendor-advisory
x_refsource_REDHAT
39628
third-party-advisory
x_refsource_SECUNIA
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
x_refsource_CONFIRM
42724
third-party-advisory
x_refsource_SECUNIA
ADV-2009-3310
vdb-entry
x_refsource_VUPEN
ADV-2009-3205
vdb-entry
x_refsource_VUPEN
http://blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during
x_refsource_CONFIRM
39461
third-party-advisory
x_refsource_SECUNIA
http://support.avaya.com/css/P8/documents/100114315
x_refsource_CONFIRM
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.2c
x_refsource_CONFIRM
GLSA-201406-32
vendor-advisory
x_refsource_GENTOO
http://www.ingate.com/Relnote.php?ver=481
x_refsource_CONFIRM
1023204
vdb-entry
x_refsource_SECTRACK
40866
third-party-advisory
x_refsource_SECUNIA
HPSBMU02799
vendor-advisory
x_refsource_HP
TA10-222A
third-party-advisory
x_refsource_CERT
1023211
vdb-entry
x_refsource_SECTRACK
SSRT090249
vendor-advisory
x_refsource_HP
39317
third-party-advisory
x_refsource_SECUNIA
1023212
vdb-entry
x_refsource_SECTRACK
SUSE-SA:2010:061
vendor-advisory
x_refsource_SUSE
39127
third-party-advisory
x_refsource_SECUNIA
40545
third-party-advisory
x_refsource_SECUNIA
ADV-2010-3069
vdb-entry
x_refsource_VUPEN
[4.5] 010: SECURITY FIX: November 26, 2009
vendor-advisory
x_refsource_OPENBSD
1023210
vdb-entry
x_refsource_SECTRACK
1023270
vdb-entry
x_refsource_SECTRACK
40070
third-party-advisory
x_refsource_SECUNIA
1023273
vdb-entry
x_refsource_SECTRACK
http://kbase.redhat.com/faq/docs/DOC-20491
x_refsource_CONFIRM
USN-927-5
vendor-advisory
x_refsource_UBUNTU
PM12247
vendor-advisory
x_refsource_AIXAPAR
SUSE-SU-2011:0847
vendor-advisory
x_refsource_SUSE
MDVSA-2010:089
vendor-advisory
x_refsource_MANDRIVA
RHSA-2010:0770
vendor-advisory
x_refsource_REDHAT
http://www.openssl.org/news/secadv_20091111.txt
x_refsource_CONFIRM
1023275
vdb-entry
x_refsource_SECTRACK
DSA-3253
vendor-advisory
x_refsource_DEBIAN
ADV-2009-3484
vdb-entry
x_refsource_VUPEN
1023207
vdb-entry
x_refsource_SECTRACK
37859
third-party-advisory
x_refsource_SECUNIA
SSRT101846
vendor-advisory
x_refsource_HP
1021752
vendor-advisory
x_refsource_SUNALERT
FEDORA-2010-6131
vendor-advisory
x_refsource_FEDORA
ADV-2010-0848
vdb-entry
x_refsource_VUPEN
[oss-security] 20091107 Re: [TLS] CVE-2009-3555 for TLS renegotiation MITM attacks
mailing-list
x_refsource_MLIST
39819
third-party-advisory
x_refsource_SECUNIA
IC68055
vendor-advisory
x_refsource_AIXAPAR
http://www.links.org/?p=786
x_refsource_MISC
60521
vdb-entry
x_refsource_OSVDB
[oss-security] 20091123 Re: CVEs for nginx
mailing-list
x_refsource_MLIST
VU#120541
third-party-advisory
x_refsource_CERT-VN
1023217
vdb-entry
x_refsource_SECTRACK
RHSA-2010:0768
vendor-advisory
x_refsource_REDHAT
ADV-2009-3353
vdb-entry
x_refsource_VUPEN
FEDORA-2010-5357
vendor-advisory
x_refsource_FEDORA
39136
third-party-advisory
x_refsource_SECUNIA
http://www.openoffice.org/security/cves/CVE-2009-3555.html
x_refsource_CONFIRM
ADV-2011-0032
vdb-entry
x_refsource_VUPEN
1023148
vdb-entry
x_refsource_SECTRACK
openSUSE-SU-2011:0845
vendor-advisory
x_refsource_SUSE
36935
vdb-entry
x_refsource_BID
http://www.tombom.co.uk/blog/?p=85
x_refsource_MISC
SSRT090208
vendor-advisory
x_refsource_HP
ADV-2010-1107
vdb-entry
x_refsource_VUPEN
1023218
vdb-entry
x_refsource_SECTRACK
ADV-2010-1350
vdb-entry
x_refsource_VUPEN
RHSA-2010:0338
vendor-advisory
x_refsource_REDHAT
42379
third-party-advisory
x_refsource_SECUNIA
FEDORA-2009-12775
vendor-advisory
x_refsource_FEDORA
20091109 Transport Layer Security Renegotiation Vulnerability
vendor-advisory
x_refsource_CISCO
IC67848
vendor-advisory
x_refsource_AIXAPAR
1023213
vdb-entry
x_refsource_SECTRACK
FEDORA-2010-16240
vendor-advisory
x_refsource_FEDORA
ADV-2010-1793
vdb-entry
x_refsource_VUPEN
oval:org.mitre.oval:def:11617
vdb-entry
signature
x_refsource_OVAL
http://extendedsubset.com/?p=8
x_refsource_MISC
37292
third-party-advisory
x_refsource_SECUNIA
SSRT100817
vendor-advisory
x_refsource_HP
tls-renegotiation-weak-security(54158)
vdb-entry
x_refsource_XF
APPLE-SA-2010-05-18-2
vendor-advisory
x_refsource_APPLE
39278
third-party-advisory
x_refsource_SECUNIA
1023205
vdb-entry
x_refsource_SECTRACK
RHSA-2010:0130
vendor-advisory
x_refsource_REDHAT
HPSBUX02482
vendor-advisory
x_refsource_HP
HPSBHF03293
vendor-advisory
x_refsource_HP
http://tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html
x_refsource_CONFIRM
http://support.apple.com/kb/HT4004
x_refsource_CONFIRM
1023215
vdb-entry
x_refsource_SECTRACK
USN-1010-1
vendor-advisory
x_refsource_UBUNTU
1023206
vdb-entry
x_refsource_SECTRACK
SUSE-SR:2010:011
vendor-advisory
x_refsource_SUSE
GLSA-200912-01
vendor-advisory
x_refsource_GENTOO
SSRT090180
vendor-advisory
x_refsource_HP
ADV-2009-3313
vdb-entry
x_refsource_VUPEN
274990
vendor-advisory
x_refsource_SUNALERT
1023208
vdb-entry
x_refsource_SECTRACK
43308
third-party-advisory
x_refsource_SECUNIA
1023214
vdb-entry
x_refsource_SECTRACK
SUSE-SA:2009:057
vendor-advisory
x_refsource_SUSE
38781
third-party-advisory
x_refsource_SECUNIA
HPSBOV02762
vendor-advisory
x_refsource_HP
HPSBMA02534
vendor-advisory
x_refsource_HP
DSA-1934
vendor-advisory
x_refsource_DEBIAN
FEDORA-2009-12782
vendor-advisory
x_refsource_FEDORA
oval:org.mitre.oval:def:7478
vdb-entry
signature
x_refsource_OVAL
1023271
vdb-entry
x_refsource_SECTRACK
APPLE-SA-2010-01-19-1
vendor-advisory
x_refsource_APPLE
[cryptography] 20091105 OpenSSL 0.9.8l released
mailing-list
x_refsource_MLIST
42467
third-party-advisory
x_refsource_SECUNIA
20091130 TLS / SSLv3 vulnerability explained (New ways to leverage the vulnerability)
mailing-list
x_refsource_BUGTRAQ
oval:org.mitre.oval:def:7315
vdb-entry
signature
x_refsource_OVAL
1023224
vdb-entry
x_refsource_SECTRACK
SUSE-SR:2010:013
vendor-advisory
x_refsource_SUSE
USN-927-4
vendor-advisory
x_refsource_UBUNTU
41490
third-party-advisory
x_refsource_SECUNIA
20091124 rPSA-2009-0155-1 httpd mod_ssl
mailing-list
x_refsource_BUGTRAQ
1023243
vdb-entry
x_refsource_SECTRACK
37504
third-party-advisory
x_refsource_SECUNIA
1023219
vdb-entry
x_refsource_SECTRACK
http://sysoev.ru/nginx/patch.cve-2009-3555.txt
x_refsource_CONFIRM
1023163
vdb-entry
x_refsource_SECTRACK
HPSBHF02706
vendor-advisory
x_refsource_HP
ADV-2009-3521
vdb-entry
x_refsource_VUPEN
oval:org.mitre.oval:def:7973
vdb-entry
signature
x_refsource_OVAL
HPSBMA02568
vendor-advisory
x_refsource_HP
http://support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=533125
x_refsource_CONFIRM
oval:org.mitre.oval:def:10088
vdb-entry
signature
x_refsource_OVAL
44183
third-party-advisory
x_refsource_SECUNIA
http://support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES
x_refsource_CONFIRM
42808
third-party-advisory
x_refsource_SECUNIA
39500
third-party-advisory
x_refsource_SECUNIA
oval:org.mitre.oval:def:11578
vdb-entry
signature
x_refsource_OVAL
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
x_refsource_CONFIRM
ADV-2009-3220
vdb-entry
x_refsource_VUPEN
SSRT100179
vendor-advisory
x_refsource_HP
SSRT100089
vendor-advisory
x_refsource_HP
RHSA-2010:0165
vendor-advisory
x_refsource_REDHAT
20101207 VMSA-2010-0019 VMware ESX third party updates for Service Console
mailing-list
x_refsource_BUGTRAQ
RHSA-2010:0987
vendor-advisory
x_refsource_REDHAT
https://bugzilla.mozilla.org/show_bug.cgi?id=545755
x_refsource_CONFIRM
http://www-01.ibm.com/support/docview.wss?uid=swg21426108
x_refsource_CONFIRM
http://blogs.iss.net/archive/sslmitmiscsrf.html
x_refsource_MISC
1023411
vdb-entry
x_refsource_SECTRACK
RHSA-2010:0339
vendor-advisory
x_refsource_REDHAT
RHSA-2010:0986
vendor-advisory
x_refsource_REDHAT
ADV-2009-3164
vdb-entry
x_refsource_VUPEN
37383
third-party-advisory
x_refsource_SECUNIA
FEDORA-2009-12229
vendor-advisory
x_refsource_FEDORA
44954
third-party-advisory
x_refsource_SECUNIA
[tls] 20091104 MITM attack on delayed TLS-client auth through renegotiation
mailing-list
x_refsource_MLIST
HPSBUX02524
vendor-advisory
x_refsource_HP
http://support.avaya.com/css/P8/documents/100070150
x_refsource_CONFIRM
40747
third-party-advisory
x_refsource_SECUNIA
HPSBUX02498
vendor-advisory
x_refsource_HP
HPSBMU02759
vendor-advisory
x_refsource_HP
39292
third-party-advisory
x_refsource_SECUNIA
42816
third-party-advisory
x_refsource_SECUNIA
IC68054
vendor-advisory
x_refsource_AIXAPAR
273029
vendor-advisory
x_refsource_SUNALERT
FEDORA-2009-12604
vendor-advisory
x_refsource_FEDORA
http://www-01.ibm.com/support/docview.wss?uid=swg21432298
x_refsource_CONFIRM
http://extendedsubset.com/Renegotiating_TLS.pdf
x_refsource_MISC
http://www-01.ibm.com/support/docview.wss?uid=swg24025312
x_refsource_CONFIRM
http://www-01.ibm.com/support/docview.wss?uid=swg24006386
x_refsource_CONFIRM
http://support.apple.com/kb/HT4170
x_refsource_CONFIRM
20091118 TLS / SSLv3 vulnerability explained (DRAFT)
mailing-list
x_refsource_BUGTRAQ
1023209
vdb-entry
x_refsource_SECTRACK
PM00675
vendor-advisory
x_refsource_AIXAPAR
http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
x_refsource_CONFIRM
HPSBOV02683
vendor-advisory
x_refsource_HP
48577
third-party-advisory
x_refsource_SECUNIA
SSA:2009-320-01
vendor-advisory
x_refsource_SLACKWARE
http://www.links.org/?p=789
x_refsource_MISC
http://www.opera.com/docs/changelogs/unix/1060/
x_refsource_CONFIRM
RHSA-2011:0880
vendor-advisory
x_refsource_REDHAT
SUSE-SR:2010:008
vendor-advisory
x_refsource_SUSE
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
x_refsource_CONFIRM
[oss-security] 20091107 Re: CVE-2009-3555 for TLS renegotiation MITM attacks
mailing-list
x_refsource_MLIST
FEDORA-2009-12305
vendor-advisory
x_refsource_FEDORA
http://wiki.rpath.com/Advisories:rPSA-2009-0155
x_refsource_CONFIRM
SUSE-SR:2010:012
vendor-advisory
x_refsource_SUSE
http://support.citrix.com/article/CTX123359
x_refsource_CONFIRM
37501
third-party-advisory
x_refsource_SECUNIA
MDVSA-2010:076
vendor-advisory
x_refsource_MANDRIVA
HPSBUX02517
vendor-advisory
x_refsource_HP
ADV-2009-3587
vdb-entry
x_refsource_VUPEN
39632
third-party-advisory
x_refsource_SECUNIA
SSRT090264
vendor-advisory
x_refsource_HP
38687
third-party-advisory
x_refsource_SECUNIA
https://bugzilla.mozilla.org/show_bug.cgi?id=526689
x_refsource_MISC
MS10-049
vendor-advisory
x_refsource_MS
ADV-2010-0982
vdb-entry
x_refsource_VUPEN
SSRT100825
vendor-advisory
x_refsource_HP
37399
third-party-advisory
x_refsource_SECUNIA
USN-927-1
vendor-advisory
x_refsource_UBUNTU
1023272
vdb-entry
x_refsource_SECTRACK
FEDORA-2009-12606
vendor-advisory
x_refsource_FEDORA
ADV-2010-3126
vdb-entry
x_refsource_VUPEN
37320
third-party-advisory
x_refsource_SECUNIA
ADV-2009-3165
vdb-entry
x_refsource_VUPEN
ADV-2010-1639
vdb-entry
x_refsource_VUPEN
38020
third-party-advisory
x_refsource_SECUNIA
USN-923-1
vendor-advisory
x_refsource_UBUNTU
39243
third-party-advisory
x_refsource_SECUNIA
oval:org.mitre.oval:def:8366
vdb-entry
signature
x_refsource_OVAL
37453
third-party-advisory
x_refsource_SECUNIA
ADV-2010-0933
vdb-entry
x_refsource_VUPEN
SSRT100219
vendor-advisory
x_refsource_HP
http://www.vmware.com/security/advisories/VMSA-2011-0003.html
x_refsource_CONFIRM
41972
third-party-advisory
x_refsource_SECUNIA
ADV-2010-3086
vdb-entry
x_refsource_VUPEN
DSA-2141
vendor-advisory
x_refsource_DEBIAN
1024789
vdb-entry
x_refsource_SECTRACK
RHSA-2010:0155
vendor-advisory
x_refsource_REDHAT
ADV-2011-0033
vdb-entry
x_refsource_VUPEN
RHSA-2010:0337
vendor-advisory
x_refsource_REDHAT
1023216
vdb-entry
x_refsource_SECTRACK
41480
third-party-advisory
x_refsource_SECUNIA
ADV-2011-0086
vdb-entry
x_refsource_VUPEN
41818
third-party-advisory
x_refsource_SECUNIA
37604
third-party-advisory
x_refsource_SECUNIA
http://www.opera.com/support/search/view/944/
x_refsource_CONFIRM
[announce] 20091107 CVE-2009-3555 - apache/mod_ssl vulnerability and mitigation
mailing-list
x_refsource_MLIST
SUSE-SR:2010:024
vendor-advisory
x_refsource_SUSE
TA10-287A
third-party-advisory
x_refsource_CERT
http://www.links.org/?p=780
x_refsource_MISC
RHSA-2010:0119
vendor-advisory
x_refsource_REDHAT
38056
third-party-advisory
x_refsource_SECUNIA
ADV-2010-0748
vdb-entry
x_refsource_VUPEN
37675
third-party-advisory
x_refsource_SECUNIA
oval:org.mitre.oval:def:8535
vdb-entry
signature
x_refsource_OVAL
HPSBMA02547
vendor-advisory
x_refsource_HP
SSRT100058
vendor-advisory
x_refsource_HP
http://www.vmware.com/security/advisories/VMSA-2010-0019.html
x_refsource_CONFIRM
RHSA-2010:0786
vendor-advisory
x_refsource_REDHAT
38003
third-party-advisory
x_refsource_SECUNIA
http://support.apple.com/kb/HT4171
x_refsource_CONFIRM
1023428
vdb-entry
x_refsource_SECTRACK
SSRT100613
vendor-advisory
x_refsource_HP
[oss-security] 20091120 CVEs for nginx
mailing-list
x_refsource_MLIST
ADV-2009-3354
vdb-entry
x_refsource_VUPEN
1023274
vdb-entry
x_refsource_SECTRACK
FEDORA-2009-12968
vendor-advisory
x_refsource_FEDORA
39242
third-party-advisory
x_refsource_SECUNIA
https://kb.bluecoat.com/index?page=content&id=SA50
x_refsource_CONFIRM
38241
third-party-advisory
x_refsource_SECUNIA
42377
third-party-advisory
x_refsource_SECUNIA
GLSA-201203-22
vendor-advisory
x_refsource_GENTOO
[oss-security] 20091105 CVE-2009-3555 for TLS renegotiation MITM attacks
mailing-list
x_refsource_MLIST
SUSE-SR:2010:019
vendor-advisory
x_refsource_SUSE
60972
vdb-entry
x_refsource_OSVDB
1023426
vdb-entry
x_refsource_SECTRACK
38484
third-party-advisory
x_refsource_SECUNIA
MDVSA-2010:084
vendor-advisory
x_refsource_MANDRIVA
http://www.betanews.com/article/1257452450
x_refsource_MISC
1021653
vendor-advisory
x_refsource_SUNALERT
http://www.mozilla.org/security/announce/2010/mfsa2010-22.html
x_refsource_CONFIRM
20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
mailing-list
x_refsource_BUGTRAQ
[4.6] 004: SECURITY FIX: November 26, 2009
vendor-advisory
x_refsource_OPENBSD
41967
third-party-advisory
x_refsource_SECUNIA
RHSA-2010:0807
vendor-advisory
x_refsource_REDHAT
ADV-2010-1191
vdb-entry
x_refsource_VUPEN
20091111 Re: SSL/TLS MiTM PoC
mailing-list
x_refsource_FULLDISC
[oss-security] 20091105 Re: CVE-2009-3555 for TLS renegotiation MITM attacks
mailing-list
x_refsource_MLIST
39713
third-party-advisory
x_refsource_SECUNIA
42733
third-party-advisory
x_refsource_SECUNIA
37291
third-party-advisory
x_refsource_SECUNIA
FEDORA-2010-16312
vendor-advisory
x_refsource_FEDORA
FEDORA-2010-5942
vendor-advisory
x_refsource_FEDORA
ADV-2010-2745
vdb-entry
x_refsource_VUPEN
273350
vendor-advisory
x_refsource_SUNALERT
ADV-2010-0994
vdb-entry
x_refsource_VUPEN
ADV-2010-0173
vdb-entry
x_refsource_VUPEN
ADV-2010-1054
vdb-entry
x_refsource_VUPEN
65202
vdb-entry
x_refsource_OSVDB
HPSBGN02562
vendor-advisory
x_refsource_HP
FEDORA-2010-16294
vendor-advisory
x_refsource_FEDORA
[gnutls-devel] 20091105 Re: TLS renegotiation MITM
mailing-list
x_refsource_MLIST
20131121 ESA-2013-077: RSA Data Protection Manager Appliance Multiple Vulnerabilities
mailing-list
x_refsource_BUGTRAQ
http://clicky.me/tlsvuln
x_refsource_MISC
42811
third-party-advisory
x_refsource_SECUNIA
[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190325 svn commit: r1856174 [26/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200213 svn commit: r1873980 [31/34] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now