| VID |
22482 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server uses a version of OpenSSL older than 0.9.8m. Such versions have the following vulnerabilities :
- Session renegotiations are not handled properly, which could be exploited to insert arbitrary plaintext by a man-in-the-middle. (CVE-2009-3555)
- The library does not check for a NULL return value from calls to the bn_wexpand() function, which has unspecified impact.(CVE-2009-3245)
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://rt.openssl.org/Ticket/Display.html?id=2111&user=guest&pass=guest
http://marc.info/?l=openssl-announce&m=126714485629486&w=2 |
| Recommendation |
Upgrade to the latest version of OpenSSL (0.9.6m or later) |
| Related URL |
CVE-2009-3245,CVE-2009-3555 (CVE) |
| Related URL |
36935,38562 (SecurityFocus) |
| Related URL |
(ISS) |
|
