CVE-2009-4355

Published: Jan 14, 2010Modified: Apr 23, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.

Affected (71)

Products: Openssl: Openssl · Redhat: Openssl

1 product

1 product

Configuration A

67 vulnerable

Vulnerable Software	Affected Versions
Openssl Openssl	Up to 0.9.8l
Openssl Openssl	Version 0.9.1c
Openssl Openssl	Version 0.9.2b
Openssl Openssl	Version 0.9.3
Openssl Openssl	Version 0.9.3a
Openssl Openssl	Version 0.9.4
Openssl Openssl	Version 0.9.5
Openssl Openssl	Version 0.9.5 beta1
Openssl Openssl	Version 0.9.5 beta2
Openssl Openssl	Version 0.9.5a
Openssl Openssl	Version 0.9.5a beta1
Openssl Openssl	Version 0.9.5a beta2
Openssl Openssl	Version 0.9.6
Openssl Openssl	Version 0.9.6 beta1
Openssl Openssl	Version 0.9.6 beta2
Openssl Openssl	Version 0.9.6 beta3
Openssl Openssl	Version 0.9.6a
Openssl Openssl	Version 0.9.6a beta1
Openssl Openssl	Version 0.9.6a beta2
Openssl Openssl	Version 0.9.6a beta3
Openssl Openssl	Version 0.9.6b
Openssl Openssl	Version 0.9.6c
Openssl Openssl	Version 0.9.6d
Openssl Openssl	Version 0.9.6e
Openssl Openssl	Version 0.9.6f
Openssl Openssl	Version 0.9.6g
Openssl Openssl	Version 0.9.6h
Openssl Openssl	Version 0.9.6i
Openssl Openssl	Version 0.9.6j
Openssl Openssl	Version 0.9.6k
Openssl Openssl	Version 0.9.6l
Openssl Openssl	Version 0.9.6m
Openssl Openssl	Version 0.9.7
Openssl Openssl	Version 0.9.7 beta1
Openssl Openssl	Version 0.9.7 beta2
Openssl Openssl	Version 0.9.7 beta3
Openssl Openssl	Version 0.9.7 beta4
Openssl Openssl	Version 0.9.7 beta5
Openssl Openssl	Version 0.9.7 beta6
Openssl Openssl	Version 0.9.7a
Openssl Openssl	Version 0.9.7b
Openssl Openssl	Version 0.9.7c
Openssl Openssl	Version 0.9.7d
Openssl Openssl	Version 0.9.7e
Openssl Openssl	Version 0.9.7f
Openssl Openssl	Version 0.9.7g
Openssl Openssl	Version 0.9.7h
Openssl Openssl	Version 0.9.7i
Openssl Openssl	Version 0.9.7j
Openssl Openssl	Version 0.9.7k
Openssl Openssl	Version 0.9.7l
Openssl Openssl	Version 0.9.7m
Openssl Openssl	Version 0.9.8
Openssl Openssl	Version 0.9.8a
Openssl Openssl	Version 0.9.8b
Openssl Openssl	Version 0.9.8c
Openssl Openssl	Version 0.9.8d
Openssl Openssl	Version 0.9.8e
Openssl Openssl	Version 0.9.8f
Openssl Openssl	Version 0.9.8g
Openssl Openssl	Version 0.9.8h
Openssl Openssl	Version 0.9.8i
Openssl Openssl	Version 0.9.8j
Openssl Openssl	Version 0.9.8k
Redhat Openssl	Version 0.9.6-15
Redhat Openssl	Version 0.9.6b-3
Redhat Openssl	Version 0.9.7a-2

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Openssl Openssl	Version 1.0.0 beta1
Openssl Openssl	Version 1.0.0 beta2
Openssl Openssl	Version 1.0.0 beta3
Openssl Openssl	Version 1.0.0 beta4

Related CWEs

CWE-399

References (60)

http://cvs.openssl.org/chngview?cn=19068

Source: cve@mitre.org

http://cvs.openssl.org/chngview?cn=19069

Source: cve@mitre.org

http://cvs.openssl.org/chngview?cn=19167

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html

Source: cve@mitre.org

http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html

Source: cve@mitre.org

http://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html

Source: cve@mitre.org

http://marc.info/?l=bugtraq&m=127128920008563&w=2

Source: cve@mitre.org

http://secunia.com/advisories/38175

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/38181

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/38200

Source: cve@mitre.org

Vendor Advisory

http://secunia.com/advisories/38761

Source: cve@mitre.org

http://secunia.com/advisories/39461

Source: cve@mitre.org

http://secunia.com/advisories/42724

Source: cve@mitre.org

http://secunia.com/advisories/42733

Source: cve@mitre.org

http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049

Source: cve@mitre.org

http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0004

Source: cve@mitre.org

http://www.debian.org/security/2010/dsa-1970

Source: cve@mitre.org

http://www.mandriva.com/security/advisories?name=MDVSA-2010:022

Source: cve@mitre.org

http://www.openwall.com/lists/oss-security/2010/01/13/3

Source: cve@mitre.org

http://www.ubuntu.com/usn/USN-884-1

Source: cve@mitre.org

Vendor Advisory

http://www.vupen.com/english/advisories/2010/0124

Source: cve@mitre.org

Vendor Advisory

http://www.vupen.com/english/advisories/2010/0839

Source: cve@mitre.org

http://www.vupen.com/english/advisories/2010/0916

Source: cve@mitre.org

https://bugzilla.redhat.com/show_bug.cgi?id=546707

Source: cve@mitre.org

https://issues.rpath.com/browse/RPL-3157

Source: cve@mitre.org

https://kb.bluecoat.com/index?page=content&id=SA50

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11260

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12168

Source: cve@mitre.org

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6678

Source: cve@mitre.org

https://rhn.redhat.com/errata/RHSA-2010-0095.html

Source: cve@mitre.org

http://cvs.openssl.org/chngview?cn=19068