CVE-2009-2409
MEDIUM severity · CVSS 5.1 · CWE-295
5.1CVSS MEDIUM
Summary
The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)5%
AV:N/AC:H/Au:N/C:P/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: http://java.sun.com/j2se/1.5.0/ReleaseNotes.html ↗
Additional information
- NVD record
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.htmlPatch
- http://lists.apple.com/archives/security-announce/2009/Nov/msg00000.htmlAdvisory
- http://secunia.com/advisories/36139Advisory
- http://secunia.com/advisories/36157Advisory
- http://secunia.com/advisories/36434Advisory
- http://java.sun.com/javase/6/webnotes/6u17.html
- http://secunia.com/advisories/36669
- http://secunia.com/advisories/36739