Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Vulnerability Alert

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability

 
Threat Type:CWE-20: Input Validation
IntelliShield ID:19361
Version:75
First Published:2012 August 14 16:24 GMT
Last Published:2012 August 14 16:24 GMT
Port: Not available
CVE:CVE-2009-3555
BugTraq ID:36935
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
CVSS Base:4.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:3.4
 
 
Version Summary:IBM has released an additional security advisory and fix to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.
 
 
Description
Multiple Transport Layer Security (TLS) implementations contain a vulnerability when renegotiating a TLS session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack.

The vulnerability exists during a TLS renegotiation process. If an attacker can intercept traffic from a client to a TLS server, the attacker could stage a rogue TLS server to intercept that traffic and appear to authenticate the client to what the client thinks is the desired TLS server. The attacker is then able to authenticate to the legitimate TLS server and thus stage a man-in-the-middle attack. However, the attacker would not be able to view the contents of the session and would only be able to inject data or requests into it.

Proof-of-concept code that exploits this vulnerability is publicly available.

OpenSSL has confirmed this vulnerability in a changelog and released updated software.
 
Warning Indicators
The following implementations are vulnerable:
  • OpenSSL versions prior to version 0.9.8l
  • GnuTLS versions 2.8.5 and prior
 
IntelliShield Analysis
To exploit this vulnerability, the attacker must be able to intercept traffic from a TLS client to a TLS server. In many cases, this may require the attacker to have access to a network that is adjacent to the targeted user's system. Another possibility would be for the attacker to have access to a network that is adjacent to a legitimate TLS server.

This vulnerability is likely to affect multiple implementations of TLS.
 
Vendor Announcements
Apache has released a changelog at the following link: Changes with Apache 2.2.15

Apple has released security updates at the following links: Security Update 2010-001, Java for Mac OS X 10.6 Update 3, and Java for Mac OS X 10.5 Update 8

Cisco has re-released a security advisory at the following link: cisco-sa-20091109-tls. This advisory contains associated bug ID numbers; however, these numbers are likely to change as products are confirmed vulnerable or not vulnerable.

Citrix has released security advisories at the following link: CTX123359

F5 has released a security advisory for registered users at the following link: CVE-2009-3555

FreeBSD has released security advisory at the following link: FreeBSD-SA-09:15.ssl

FreeBSD has released a VuXML document at the following link: mozilla -- multiple vulnerabilities

HP has released security bulletins at the following links: c01945686 at HPSBUX02482 SSRT090249, c02079216 at HPSBUX02517 SSRT100058,c02171256 at HPSBMA02534 SSRT090180, c02122104 at HPSBUX02524 SSRT100089, c02436041 at HPSBGN02562 SSRT090249, c02512995 at HPSBMA02568 SSRT100219, c02616748 at HPSBUX02608 SSRT100333, c03263573 at HPSBMU02759 SSRT100817, and c03281831 at HPSBOV02762 SSRT100825. HP has also released security bulletins c01963123 and c02273751 for registered users at the following links: HPSBU02498 SSRT090264 and HPSBMA02547 SSRT100179

IBM has released APARs at the following links: PK96157, PM12247, and PM10658. IBM has released advisories at the following links: swg24025312, swg21415080, swg21426108, swg24006386, and swg21607116. IBM has re-released a security alert at the following link: CVE-2009-3555. IBM has released an APAR for registered users at the following link: IC68055

Microsoft has released a security bulletin, security advisory, and a knowledge base article at the following links: MS10-049, Microsoft Security Advisory (977377), and KB 977377

MontaVista Software has released a security alert for registered users on March 9, 2012, at the following link: MontaVista Security Fixes

Mozilla has released a security advisory at the following link: MFSA 2010-22

NetBSD has released a security advisory at the following link: NetBSD-SA2010-002

Novell has released a security advisory at the following link: 7005950

OpenBSD has released security announcements at the following links: 004: Security FIX: November 26, 2009 and 010: SECURITY FIX: November 26, 2009

OpenOffice.org has released a security bulletin at the following link: CVE-2009-3555

Oracle has released a security alert at the following link: Critical Patch Update March 2010

Red Hat has released security advisories at the following links: RHSA-2009:1579, RHSA-2009:1580, RHSA-2010:0011, RHSA-2010:0119, RHSA-2010:0130, RHSA-2010:0155, RHSA-2010:0162, RHSA-2010:0163, RHSA-2010:0164, RHSA-2010:0165, RHSA-2010:0166, RHSA-2010:0167, RHSA-2010:0339, RHSA-2010:0408, RHSA-2010:0440, RHSA-2010:0770, RHSA-2010:0786, RHSA-2010:0807, RHSA-2010:0986, and RHSA-2010:0987

Sun has re-released security advisories at the following links: 273029, 273350, and 274990

Sun has released a security notification at the following link: CVE-2009-3555

US-CERT has released a vulnerability note at the following link: VU#120541

VMware has released security advisories at the following links: VMSA-2010-0015 and VMSA-2010-0019
 
Impact
An unauthenticated, remote attacker could exploit this vulnerability to stage a man-in-the-middle attack. This could allow the attacker to obtain sensitive information, such as authentication credentials, from the targeted user.
 
Technical Information
By intercepting client traffic during a TLS renegotiation event, an unauthenticated, remote attacker could cause a TLS client to connect to a rogue TLS server rather than the legitimate one. The attacker can then connect to the legitimate TLS server using an anonymous TLS connection. After the rogue TLS server connects to the legitimate one, the attacker has staged a man-in-the-middle attack. However, the attacker could not view the information in the session, but would be limited to adding data or requests to it.
 
Safeguards
Administrators are advised to apply the appropriate updates.

Administrators are advised to physically secure internal networks and use switches rather than hubs to route the data.

Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
 
Patches/Software
OpenSSL has released updated software at the following link: openssl-0.9.8l.tar.gz

Apache has released updated software at the following link: Apache HTTP Server 2.2.15

Apple has released updated software at the following links:
Mac OS X and Mac OS X Server 10.6.4
Security Update 2010-001 (Snow Leopard)
Java for Mac OS X 10.6 Update 3
Mac OS X and Mac OS X Server 10.5.8
Security Update 2010-001 Client (Leopard)
Security Update 2010-001 Server (Leopard)
Java for Mac OS X 10.5 Update 8
CentOS packages can be updated using the up2date or yum command.

F5 has released updated software for registered users at the following link: F5 Products

FreeBSD has released patches at the following HTTP link: ssl.patch

FreeBSD releases ports collection updates at the following link: Ports Collection Index

HP has released updated software at the following links:
x86
HP System Management Homepage for Linux version 6.2
AMD64/EM64T
HP System Management Homepage for Linux version 6.2

x86/x64
HP System Management Homepage for Windows version 6.2
B.11.11 PA (32 and 64)
OpenSSL_A.00.09.08l.001
OpenSSL_A.00.09.08n.001_HP-UX_B.11.11_32+64.depot
Apache 2.0.59.13 PA-64-32-1111.depot
B.11.23 (PA and IA)
OpenSSL_A.00.09.08l.002
OpenSSL_A.00.09.08n.002_HP-UX_B.11.23_IA-PA.depot
Apache 2.0.59.13 IA-PA-32-1123.depot
Apache 2.0.59.13 IA-PA-64-1123.depot


B.11.31 (PA and IA)
OpenSSL_A.00.09.08l.003
OpenSSL_A.00.09.08n.003_HP-UX_B.11.31_IA-PA.depot
Apache 2.0.59.13 IA-PA-32-1131.depot
Apache 2.0.59.13 IA-PA-64-1131.depot


HP System Management Homepage
v6.1.0.102 or subsequent (for Windows)
v6.1.0-103 or subsequent (for Linux x86)
v6.1.0-103 or subsequent (for Linux AMD64/EM64T)

HP-UX B.11.31
JDK and JRE v6.0.07 or subsequent
JDK and JRE v5.0.20 or subsequent
SDK and JRE v1.4.2.25 or subsequent
JDK and JRE v6.0.09 or subsequent
JDK and JRE v5.0.21 or subsequent


HP-UX B.11.23
JDK and JRE v6.0.07 or subsequent
JDK and JRE v5.0.20 or subsequent
SDK and JRE v1.4.2.25 or subsequent
JDK and JRE v6.0.09 or subsequent
JDK and JRE v5.0.21 or subsequent


HP-UX B.11.11
JDK and JRE v6.0.07 or subsequent
JDK and JRE v5.0.20 or subsequent
SDK and JRE v1.4.2.25 or subsequent
JDK and JRE v6.0.09 or subsequent
JDK and JRE v5.0.21 or subsequent

HP Systems Insight Manager (SIM)
v6.1 or subsequent (for HP-UX, Linux, and Windows)

HP ProCurve Threat Management Services zl Module
Version ST.1.1.100430 or subsequent


CSWS_JAVA V3.2
HP has released updated software for registered users at the following link:

HP Onboard Administrator 3.50
IBM has released interim fixes at the following links: swg24025312 and swg24006386. IBM has released APARs at the following links: PK96157, PM12247, and PM10658. Users of the IBM JDK are advised to install JSSE APAR IZ65239. IBM has released updates at the following links: IBM developer kits, IBM DB2 version 9.1 Fix Pack 9, and IBM DB2 version 9.7 Fix Pack 2.
IBM has released a fix at the following link: IBM Tivoli Endpoint Manager 8.2.1310.

Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Windows Update website. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.

MontaVista Software has released updated software at the following links:
PRO 5.0
Pro 5.0.24
Mobilinux 5.0.24
MVL 5
Pro 4.0.1
CGE 4.0.1
Mobilinux 4.1
Moblinux 4.0.2
CGE 5.1
Mobilinux 5.0
Mozilla has released updated software at the following links:
Firefox 3.6.2
Firefox 3.5.9
Thunderbird 3.0.4
SeaMonkey 2.0.4
NetBSD has released instructions for installing available patches at the following link: NetBSD

OpenBSD has released source code patches at the following FTP links: OpenBSD 4.5 and OpenBSD 4.6

OpenOffice.org has released an updated version at the following link: OpenOffice.org 3.2.1

Oracle has released patches for registered users at the following link: Oracle

Red Hat packages can be updated using the up2date or yum command.
Sun has released patches at the following links:
SPARC
  • Solaris 8 with patch 119209-22 or later
  • Solaris 9 with patch 119211-22 or later
  • Solaris 10 with patch 119213-21 or later
  • Sun Java Enterprise System 5 with patch 125358-10 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Server 7.0 with patch 125437-18 or later
  • Sun Java System Web Proxy Server 4.0.13 or later
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128640-15 or later (for customers with valid support contract) or 141709-03 or later (for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128643-15 or later (for customers with valid support contract) or 141700-03 or later (for customers without valid support contract)
  • Sun Java System Directory Server 5.2 Patch 6 with patch 142806-02 or later
  • Sun Java System Directory Server Enterprise Edition 6.3.1 with patch 142807-02 or later
Intel
  • Solaris 9 with patch 119212-22 or later
  • Solaris 10 with patch 119214-21 or later
  • Sun Java Enterprise System 5 with patch 125359-10 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Server 7.0 with patch 125438-18 or later
  • Sun Java System Web Proxy Server 4.0.13 or later
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128641-15 or later (for customers with valid support contract) or 141710-03 or later (for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128644-15 or later (for customers with valid support contract) or 141701-03 or later (for customers without valid support contract)
  • Sun Java System Directory Server 5.2 Patch 6 with patch 142806-02 or later
  • Sun Java System Directory Server Enterprise Edition 6.3.1 with patch 142807-02 or later
Linux
  • Sun Java Enterprise System 2005Q4 and Sun Java Enterprise System 5 (for RHEL2.1 and RHEL3.0) with patch 142506-03 or later
  • Sun Java Enterprise System 5 (for RHEL4.0 and RHEL5.0) with patch 121656-21 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Server 7.0 with patch 125439-16 or later
  • Sun Java System Application Server 8.1 with patch 119171-33 or later
  • Sun Java System Web Proxy Server 4.0.13 or later
  • Sun GlassFish Enterprise Server v2.1.1 with HADB - Package Based with patch 128642-15 or later (for customers with valid support contract) or 141711-03 or later (for customers without valid support contract)
  • Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128645-15 or later (for customers with valid support contract) or 141702-03 or later (for customers without valid support contract)
  • Sun Java System Directory Server 5.2 Patch 6 with patch 142806-02 or later
  • Sun Java System Directory Server Enterprise Edition 6.3.1 with patch 142807-02 or later
HP-UX
  • Sun Java Enterprise System 2005Q4 and Sun Java Enterprise System 5 with patch 124379-12 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Server 7.0 with patch 125440-16 or later
  • Sun Java System Web Proxy Server 4.0.13 or later
  • Sun Java System Directory Server 5.2 Patch 6 with patch 142806-02 or later
  • Sun Java System Directory Server Enterprise Edition 6.3.1 with patch 142807-02 or later
Windows
  • Sun Java Enterprise System 2005Q4 with patch 124392-11 or later
  • Sun Java Enterprise System 5 with patch 125923-10 or later
  • Sun Java System Web Server 7.0 update 7 or later
  • Sun Java System Web Server 7.0 with patch 125441-18 or later
  • Sun Java System Application Server 8.1 with patch 119172-33 or later
  • Sun Java System Web Proxy Server 4.0.13 or later
  • Sun GlassFish Enterprise Server v2.1.1 with HADB with patch 128646-15 or later (for customers with valid support contract) or 141703-03 or later (for customers without valid support contract)
  • Sun Java System Directory Server 5.2 Patch 6 with patch 142806-02 or later
  • Sun Java System Directory Server Enterprise Edition 6.3.1 with patch 142807-02 or later
AIX
  • Sun Java System Directory Server 5.2 Patch 6 with patch 142806-02 or later
Sun has released patches for StarOffice/StarSuite for relevant platforms at the following link: CVE-2009-3555

VMware has released updated software at the following links:
ESX 3.5
ESX350-201012401-SG
ESX 4.0
ESX400-201009401-SG
ESX 4.1
ESX410-201010402-SG
 
Alert History
 
Version 74, April 18, 2012, 12:44 PM: HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. MontaVista Software has also re-released a security alert and updated software to address this vulnerability.

Version 73, April 3, 2012, 4:12 PM: HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 72, December 16, 2010, 11:02 AM: Red Hat has released additional security advisories and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 71, December 13, 2010, 11:05 AM: HP has released a security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 70, December 8, 2010, 8:07 AM: VMware has released an additional security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 69, November 29, 2010, 9:05 AM: IBM has released an additional security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 68, November 17, 2010, 8:43 AM: VMware has re-released a security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 67, November 1, 2010, 11:48 AM: Red Hat and IBM have released additional security advisories and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 66, October 21, 2010, 9:36 AM: Red Hat has released an additional security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. Apple has also released security updates to address this vulnerability.

Version 65, October 15, 2010, 3:44 PM: Red Hat has released an additional security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 64, October 14, 2010, 8:14 PM: Sun has released a security notification and patches to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 63, October 12, 2010, 8:39 PM: VMware has released a security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 62, September 20, 2010, 11:37 AM: HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 61, August 10, 2010, 2:41 PM: Microsoft has released a security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 60, August 5, 2010, 3:57 PM: HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 59, July 13, 2010, 8:05 AM: HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 58, June 14, 2010, 9:08 AM: Red Hat has released an additional security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. CentOS has also released updated packages to address this vulnerability.

Version 57, June 7, 2010, 10:04 AM: OpenOffice.org has released a security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 56, June 3, 2010, 11:34 AM: HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 55, June 2, 2010, 8:16 AM: IBM has released an APAR and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 54, May 26, 2010, 8:29 AM: Red Hat has released an additional security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 53, May 20, 2010, 12:57 PM: Novell has released a security advisory to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 52, May 19, 2010, 10:58 AM: Apple has released security updates and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 51, May 18, 2010, 9:55 AM: HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 50, May 13, 2010, 9:28 AM: IBM has released an additional APAR and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 49, May 13, 2009, 8:33 AM: Red Hat has released an additional security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 48, April 27, 2010, 11:05 AM: IBM has released an additional APAR to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 47, April 23, 2010, 11:45 AM: IBM has released a security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 46, April 21, 2010, 10:07 AM: HP has re-released a security bulletin and updated patch information to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 45, April 16, 2010, 7:49 AM: HP has released an additional security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 44, April 7, 2010, 9:53 AM: FreeBSD has released a VuXML document and updated ports collection to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 43, April 1, 2010, 11:44 AM: Mozilla and Oracle have released security advisories and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 42, March 29, 2010, 10:58 AM: CentOS has released updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 41, March 26, 2010, 12:11 PM: Red Hat has released additional security advisories and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 40, March 18, 2010, 9:23 AM: Red Hat has released a security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 39, March 8, 2010, 11:59 AM: Apache has released a changelog and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 38, March 4, 2010, 8:05 AM: Red Hat has released an additional security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 37, February 23, 2010, 4:27 PM: Red Hat has released an additional security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 36, February 22, 2010, 3:56 PM: MontaVista Software has released an additional security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 35, February 16, 2010, 12:23 PM: MontaVista Software has released an additional security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 34, February 12, 2010, 9:46 AM: Sun has released an additional security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 33, February 9, 2010, 2:41 PM: Microsoft has released a security bulletin and a knowledge base article to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 32, February 8, 2010, 10:03 AM: Sun has re-released a security alert and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 31, February 5, 2010, 4:05 PM: Cisco has re-released a security advisory with additional products that are affected by the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 30, February 1, 2010, 12:26 PM: Sun has re-released a security alert and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 29, January 28, 2010, 1:12 PM: IBM has released a security alert and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 28, January 20, 2010, 12:13 PM: Apple has released a security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 27, January 13, 2010, 3:33 PM: NetBSD has released a security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 26, January 11, 2010, 12:24 PM: Sun has released an additional security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 25, January 7, 2010, 8:13 AM: Red hat has released an additional security advisory and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 24, January 5, 2010, 3:38 PM: Cisco has re-released a security advisory with additional products that are affected by the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 23, December 22, 2009, 9:19 AM: HP has released a security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 22, December 21, 2009, 12:17 PM: IBM has released a security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 21, December 21, 2009, 11:36 AM: Cisco has re-released a security advisory with additional products that are affected by the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 20, December 15, 2009, 3:42 PM: F5 has released a security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. IBM has released an APAR with fixed software.

Version 19, December 11, 2009, 8:46 AM: Sun has re-released a security advisory with updated patches to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 18, December 7, 2009, 5:30 PM: IBM has released a security announcement and an interim fix to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 17, December 4, 2009, 10:29 PM: IBM has released an APAR to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. Cisco has confirmed additional affected products.

Version 16, December 4, 2009, 9:32 AM: Cisco has re-released a security advisory with additional affected products for the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 15, December 3, 2009, 9:46 AM: FreeBSD has released a security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 14, December 2, 2009, 5:12 PM: Sun has released an additional security advisory and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 13, November 30, 2009, 8:39 AM: HP has released a security bulletin and updated software to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. OpenBSD also has released security announcements and source code patches to address this vulnerability.

Version 12, November 24, 2009, 10:52 AM: Sun has re-released an alert notification with Interim Security Relief to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. MontaVista Software has also released a security alert and updated software to address this vulnerability.

Version 11, November 20, 2009, 3:13 PM: Sun has released an alert notification to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 10, November 19, 2009, 6:23 PM: Cisco has re-released a security advisory to address additional products that are affected by the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 9, November 17, 2009, 4:06 PM: Cisco has re-released a security advisory to address additional products that are affected by the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 8, November 16, 2009, 10:01 AM: CentOS has released additional updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 7, November 13, 2009, 10:57 AM: CentOS has released updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 6, November 12, 2009, 8:18 AM: Red Hat has released additional security advisories and updated packages to address the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 5, November 11, 2009, 2:54 PM: Apache has confirmed that it is affected by the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. Citrix has released a security advisory for this vulnerability.

Version 4, November 9, 2009, 12:44 PM: Cisco Systems has released a security advisory regarding the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability.

Version 3, November 6, 2009, 8:43 AM: Proof-of-concept code that exploits the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability is publicly available.

Version 2, November 5, 2009, 4:33 PM: Multiple TLS implementations are affected by the Transport Layer Security renegotiation remote man-in-the-middle attack vulnerability. Additional technical information is also available.

Version 1, November 5, 2009, 2:53 PM: OpenSSL contains a vulnerability when renegotiating a Transport Layer Security session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Updates are available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
GNU Public LicenseGnuTLS 2.1 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 2.2 .0, .1, .2, .3, .4, .5 | 2.3 .0, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14, .15 | 2.4 .0, .1, .2, .3 | 2.6 .0, .1, .2, .3, .4, .5, .6 | 2.8 .0, .1, .2, .3, .4, .5
OpenSSLopenssl 0.9.8 Base | 0.9.8a Base | 0.9.8b Base | 0.9.8c Base | 0.9.8d Base | 0.9.8e Base | 0.9.8f Base | 0.9.8g Base | 0.9.8h Base | 0.9.8i Base | 0.9.8j Base | 0.9.8k Base

Associated Products:
Apache Software FoundationApache HTTP Server 1.3.30 Base | 1.3.31 Base | 1.3.32 Base | 1.3.33 Base | 1.3.34 Base | 1.3.35 Base | 1.3.36 Base | 1.3.37 Base | 1.3.39 Base | 1.3.41 Base | 2.0.45 Base | 2.0.46 Base | 2.0.47 Base | 2.0.48 Base | 2.0.49 Base | 2.0.50 Base | 2.0.51 Base | 2.0.52 Base | 2.0.53 Base | 2.0.54 Base | 2.0.55 Base | 2.0.56 Base | 2.0.57 Base | 2.0.58 Base | 2.0.59 Base | 2.0.61 Base | 2.0.63 Base | 2.2 .0, .1, .2, .3, .4, .6, .7, .8, .9, .10, .11, .12, .13, .14
AppleMac OS X 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Intel, PPC | 10.5.4 Intel, PPC | 10.5.5 Intel, PPC | 10.5.6 Intel, PPC | 10.5.7 Intel, PPC | 10.5.8 Intel, PPC | 10.6 Intel, PPC | 10.6.1 Intel, PPC | 10.6.2 Base | 10.6.3 Base | 10.6.4 Base
AppleMac OS X Server 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Intel, PPC | 10.5.4 Intel, PPC | 10.5.5 Intel, PPC | 10.5.6 Intel, PPC | 10.5.7 Intel, PPC | 10.5.8 Intel, PPC | 10.6 Intel, PPC | 10.6.1 Intel, PPC | 10.6.2 Base | 10.6.3 Base | 10.6.4 Base
CentOS ProjectCentOS 3 .0 i386, .0 x86_64 | 4 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64, .4 i386, .4 x86_64, .5 i386, .5 x86_64, .6 i386, .6 x86_64, .7 i386, .7 x86_64 | 5 .0 i386, .0 x86_64, .1 i386, .1 x86_64, .2 i386, .2 x86_64, .3 i386, .3 x86_64
CiscoAdaptive Security Appliances Firmware (ASA) 7.0 Base, .1.4, .1, .2, .3, .4, .4.2, .5, .6, .7, .7.1, .8 | 7.1 .2, .2.61, .2.81 | 7.2 .1, .2, .2.34, .3, .3.1, .4, .4.27, .4.30 | 8.0 .1.2, .2, .2.11, .3, .4, .4.25, .4.28, .4.32, .4.33 | 8.1 Base, .1, .2, .2.15, .2.16, .2.19, .2.23, .2.24 | 8.2 .0.45
CiscoApplication Networking Manager 1.2 Base, Update E, Update F | 2.0 Base, Update A
CiscoApplication Velocity System (AVS) 4.0 Base | 5.0 Base, .1, .2, .2-13, .3-8 | 6.0 Base, .2, .3
CiscoCisco ACE GSS 4400 Series Global Site Selector Appliances 3.0 (1), (2) | 3.1 (0.0.7), (1.0.5)
CiscoCisco ACE Web Application Firewall 6.0 (0), (1), (2), (3) | 6.1 Base
CiscoCisco CallManager Original Release Base | 1.0 Base | 2.0 Base | 3.0 Base | 3.0.3(a) Base | 3.1 Base, .1, .2, .3a | 3.1(1) Base | 3.1(2) Base | 3.1(2)SR3 Base | 3.1(3) Base | 3.1(3)SR2 Base | 3.1(3)SR4 Base | 3.2 Base | 3.2(3)SR3 Base | 3.3 Base | 3.3(2)SPc Base | 3.3(3) Base | 3.3(3)ES61 Base | 3.3(3)SR3 Base | 3.3(3)SR4a Base | 3.3(3a) Base | 3.3(4) Base | 3.3(4)ES25 Base | 3.3(4)SR2 Base | 3.3(4c) Base | 3.3(5) Base | 3.3(5)ES24 Base | 3.3(5)SR1 Base | 3.3(5)SR1a Base | 3.3(5)SR2 Base | 3.3(5)SR2a Base | 3.3(5)SR3 Base | 3.3(59) Base | 3.3(61) Base | 3.3(63) Base | 3.3(64) Base | 3.3(65) Base | 3.3(66) Base | 3.3(67.5) Base | 3.3(68.1) Base | 3.3(71.0) Base | 3.3(74.0) Base | 3.3(78) Base | 3.3(76) Base | 4.0 .1, .2 | 4.0(2) Base | 4.0(2a)ES40 Base | 4.0(2a)ES56 Base | 4.0(2a)SR2b Base | 4.0(2a)SR2c Base | 4.1 Base | 4.1(2) Base | 4.1(2)ES33 Base | 4.1(2)ES50 Base | 4.1(2)SR1 Base | 4.1(3) Base | 4.1(3)ES Base | 4.1(3)ES07 Base | 4.1(3)ES24 Base | 4.1(3)SR Base | 4.1(3)SR1 Base | 4.1(3)SR2 Base | 4.1(3)SR3 Base | 4.1(3)SR3b Base | 4.1(3)SR3c Base | 4.1(3)SR4 Base | 4.1(3)SR4b Base | 4.1(3)SR4d Base | 4.1(3)SR5 Base | 4.1(4) Base | 4.1(9) Base | 4.1(17) Base | 4.1(19) Base | 4.1(22) Base | 4.1(23) Base | 4.1(25) Base | 4.1(26) Base | 4.1(27.7) Base | 4.1(28.2) Base | 4.1(30.4) Base | 4.1(36) Base | 4.1(39) Base | 4.2(1) Base | 4.2(1)SR1b Base | 4.2(1.02) Base | 4.2(1.05.3) Base | 4.2(1.06) Base | 4.2(1.07) Base | 4.2(3) Base | 4.2(3)SR1 Base | 4.2(3)SR2 Base | 4.2(3)SR3 Base | 4.2(3)SR4 Base | 4.2(3.08) Base | 4.2(3.2.3) Base | 4.2(3.3) Base | 4.2(3.13) Base | 4.2(3.20) Base | 4.2(3.31) Base | 4.2(3.36) Base | 4.2(3.39) Base | 4.2(3.46) Base | 4.3 Base | 4.3(1) Base | 4.1(3)2 Base | 4.3(1)SR Base | 4.3(1)SR1 Base | 4.3(1)SR1a Base | 4.3(1)SR1b Base | 4.3(1.57) Base | 4.3(2) Base | 4.3(2)SR1 Base | 5.0(1) Base | 5.0(2) Base | 5.0(2a) Base | 5.0(3) Base | 5.0(3a) Base | 5.0(3.1101) Base | 5.0(4) Base | 5.0(4a) Base | 5.0(4a)SU1 Base | 5.0(4c) Base | 5.0(4.2136.001) Base | 5.0(4.2137.001) Base | 5.0(4.2137.002) Base | 5.1 Base | 5.1(1) Base | 5.1(1a) Base | 5.1(1b) Base | 5.1(1c) Base | 5.1(1.9131.045) Base | 5.1(2) Base | 5.1(2a) Base | 5.1(2b) Base | 5.1(3) Base | 5.1(3a) Base | 5.1(3b) Base | 5.1(3c) Base | 6.0(0.9901.169) Base | 6.0(0.9901.190) Base | 6.0(1) Base | 6.0(1a) Base | 6.0(1b) Base | 6.1 Base | 6.1(1) Base | 6.1(1a) Base | 6.1(2) Base
CiscoCisco CNS Network Registrar 2.5 Base | 3.0 Base | 3.5 Base, .1 | 5.0 Base | 5.5 Base, .13 | 6.0 .5, .5.2, .5.3, .5.4 | 6.1 Base, .1, .1.1, .1.2, .1.3, .1.4, .4, .4.1, .4.2, .6 | 6.2 .3 | 6.3 Base, .1 | 7.0 Base
CiscoCisco Digital Media Manager Software 3.5 Base, .1 | 4.0 Base | 4.1 Base | 5.0 Base, .2, .3
CiscoCisco Digital Media Player Software 5.0 Base, .2, .3
CiscoCisco Global Site Selector (GSS) 1.0 Base, .1 | 1.1 Base, .1 | 1.2 Base, .1, .2 | 1.3 .0, .1, .2, .3 | 2.0 .0, .1, .2, .2.1, .3, .3.0.31, .4 | 3.0 .0, .1, .2
CiscoCisco IP Communicator 1.1 Base, (4), (5) | 2.0 Base, (1a), (2)
CiscoCisco IronPort Encryption Appliance (IEA) Original Release Base
CiscoCisco IronPort Security Management Appliance M160 Base | M660 Base | M1060 Base
CiscoCisco IronPort Web Security Appliance S160 Base | S360 Base | S660 Base
CiscoCisco Network Analysis Module Software (NAM) 4.0 Base | 4.1 Base
CiscoCisco NX-OS Software 4.0 Base, (1), (1a) | 4.1 .(2), .(3), .(4)
CiscoCisco Secure Access Control System (ACS) Original Release Base | 2.4 Base | 2.6.3.2 Base | 2.6.4.4 Base | 3.0 Base | 3.0.1.40 Base | 3.0.3.6 Base | 3.1 Base, .2 | 3.1.1 Base | 3.2 Base | 3.2 (1.20) Base | 3.2 (1) Base | 3.2 (2) Base | 3.2 (3) Base | 3.2.1 Base | 3.2.2 Base | 3.2.3 Base | 3.3 Base | 3.3 (1) Base | 3.3.1 Base, .16 | 3.3.2 Base, .2 | 3.3.3 .11 | 4.0 Base, .1.27, .1.42, .1.44, .1.49 | 4.1 .1.1, .1.23, .1.23.3, .3.12, .4.13, .4.13.1, .4.13.10 | 4.2 .0.124
CiscoCisco Security Agent (CSA) 4.0 Base, .3, .3.723, .3.737 | 4.5 Base, .1, .1.628, .1.645, .1.649, .1.654, .1.655, .1.657 | 5.0 .0.179, .0.181, .0.183, .0.186, .0.187, .0.194 | 5.1 .0.74, .0.79 | 5.2 Base
CiscoCisco Security Agent (CSA) for Linux 4.0 .2.629, .3.723, .3.737 | 4.5 .0.573, .1.628, .1.645, .1.646, .1.649, .1.654, .1.655, .1.657 | 5.0 .0.74, .0.179, .0.181, .0.183, .0.186, .0.187, .0.193, .0.194 | 5.1 0.79
CiscoCisco Spam & Virus Blocker B-Series Base
CiscoCisco Telepresence 1.1 .1 | 1.2 .0, .1, .2
CiscoCisco Unified Communications Manager 5.1 (1b), (1c), (2), (2a), (2b), (3), (3a), (3b), (3c), (3d), (3e) | 6.1 (1), (1a), (1b), (2), (2)SU1, (2)SU1a, (3) | 7.0 Base, (1), (2) | 7.1 Base, (3) | 8.0 Base
CiscoCisco Unified Contact Center Enterprise 4.6 .2 | 5.0 Base | 6.0 Base | 7.0 Base | 7.1 Base, .2, .3, .4
CiscoCisco Unified Contact Center Express 4.0 Base | 5.0 (2) | 6.0 (1) | 7.0 (1)
CiscoCisco Unified IP Conference Station 7935 3.1 (1), (2), (3), (4) | 3.2 (1), (2), (3), (4), (5), (6a), (7), (8), (9), (10), (11), (12), (13), (14), (15), (16)
CiscoCisco Unified IP Conference Station 7936 3.3 (2), (3), (5), (4), (7), (8), (9), (10), (11), (12), (13)
CiscoCisco Unified IP Phone 7906G 7.2 (3) | 8.0 (3), (4), (4)SR1, (4)SR2, (4)SR3A | 8.2 (1), (2), (2) SR1, (2) SR2, (2) SR4, (2) SR3 | 8.3 (1), (2), (2) SR1, (2) SR2, (2) SR3, (2) SR4, (3), (3) SR2
CiscoCisco Unified IP Phone 7911G 7.2 (1), (2)SR2, (3) | 8.0 (1), (2)SR2, (3), (4)SR1, (4)SR2, (4)SR3A | 8.2 (1), (2) SR1, (2) SR2, (2) SR3, (2) SR4 | 8.3 (1), (2), (2) SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7931G 8.3 (1), (2), (2)SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7940G 3.1 (2), (11) | 3.2 (5), (6), (7) | 3.3 (2), (3) | 5.0 (1a), (3), (4), (5), (6) | 6.0 (3), (4), (5) | 7.0 (2) | 7.1 (2) | 7.2 (2), (3), (4) | 8.0 (1), (2), (3), (4), (5), (6), (7) | 8.1 Base | 8.2 Base | 8.3 Base | 8.4 Base | 8.5 Base | 8.6 Base | 8.7 Base | 8.8 Base
CiscoCisco Unified IP Phone 7941G 7.0 (2), (2)SR1, (3) | 8.0 (1), (2)SR1, (3), (4), (4)SR1, (4)SR2, (4)SR3A | 8.2 (1), (2) SR1, (2) SR2, (2) SR3, (2) SR4 | 8.3 (1), (2), (2) SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7942G 8.3 (2), (2) SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7945G 8.3 (2), (2) SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7960G 3.1 (2), (11) | 3.2 (5), (6), (7) | 3.3 (2), (3) | 5.0 (1a), (3), (4), (5), (6) | 6.0 (3), (4), (5) | 7.0 (2) | 7.1 (2), (3), (4) | 7.2 (2), (3), (4) | 8.0 (1), (2), (3), (4), (5), (6), (7), (8) | 8.1 Base | 8.3 Base | 8.4 Base | 8.5 Base | 8.6 Base | 8.7 Base | 8.8 Base
CiscoCisco Unified IP Phone 7961G 7.0 (2), (2) SR1, (3) | 8.0 (1), (2)SR1, (3), (4)SR1, (4)SR2, (4)SR3A | 8.2 (1), (2) SR1, (2) SR2, (2) SR3, (2) SR4 | 8.3 (1), (2), (2) SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7962G 8.3 (2), (2) SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7965G 8.3 (2), (2) SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7970G 5.0 (1), (3) | 6.0 (1), (1)SR1, (2), (2)SR1, (3)SR1 | 7.0 (1), (2), (2)SR1, (3) | 8.0 (1), (2)SR1, (3), (4)SR1, (4)SR2, (4)SR3A | 8.2 (1), (2) SR1, (2) SR2, (2) SR3, (2) SR4 | 8.3 (1), (2), (2) SR1, (3), (3) SR2
CiscoCisco Unified IP Phone 7971G 6.0 (2)SR2, (3)SR1 | 7.0 (1), (2), (2)SR1, (3) | 8.0 (1), (2)SR1, (3), (4)SR1, (4)SR2, (4)SR3A | 8.2 (1), (2) SR1, (2) SR2, (2) SR3, (2) SR4 | 8.3 (1), (2), (2) SR1, (3), (3) SR2
CiscoCisco Video Surveillance Media Server Software 5.0 .0 | 5.1 .0, .1 | 6.0 Base | 6.1 .0, .1 | 6.2 .0
CiscoCisco Video Surveillance Operations Manager Software 3.0 .0 | 3.1 .0, .1 | 4.0 .0 | 4.1 .0, .1 | 4.2 .0
CiscoCisco Wide Area Application Services (WAAS) 4.0 Base, .7, .7.46, .9, .9.10, .11.34, .13.23, .17.14, .19.14
CiscoCisco Wireless Control System Software (WCS) 1.0 Base | 2.0 Base, 44.14, 44.24 | 2.2 .0, .111.0 | 3.0 Base, .101.0, .105.0 | 3.1 Base, .20.0, .33.0, .35.0 | 3.2 Base, .23.0, .25.0, .40.0, .51.0, .64.0 | 4.0 Base, .1.0, .43.0, .66.0, .81.0, .87.0, .96.0, .97.0 | 4.1 Base, .83.0, .91.0 | 4.2 Base, .62.0, .62.11
CiscoCisco Wireless LAN Controller 3.0 Base | 3.1 .59.24, .105.0, .111.0 | 3.2 .78.0, .116.21, .150.6, .150.10, .171.5, .171.6, .185.0, .193.5, .195.10 | 4.0 .108, .155.0, .155.5, .179.8, .179.11, .196, .206.0, .217.0, .219.0 | 4.1 Base, .171.0, .181.0, .185.0 | 4.2 Base, .61.0, .99.0, .112.0, .117.0, .130.0, .173.0, .174.0, .176.0, .182.0 | 5.0 .148.0, .148.2 | 5.1 .151.0, .152.0, .160.0 | 5.2 .157.0, .169.0
CiscoCiscoWorks Common Services (CWCS) 1.0 Base | 2.2 Base | 2.3 Base | 3.0 Base, .3, .4, .5, .6 | 3.1 Base, .1 | 3.2 Base
CiscoCiscoWorks Wireless LAN Solution Engine (WLSE) 1.0 Base | 1.1 Base | 1.3 Base | 2.0 Base, .2 | 2.5 Base | 2.7 Base, .1 | 2.9 Base, .1a | 2.11 Base | 2.12 Base | 2.13 Base | 2.14 Base | 2.15 Base | 3.0 Base
CiscoContent Services Switch (CSS) 11500 Base, 5.0, 6.10, 7.1, 7.2, 7.3, 7.4, 7.5, 8.10
CiscoContent Switching Module (CSM) 4.1 Base, .6 | 4.2 Base, .1, .2, .3, .3a, .4, .5, .6, .7, .8
CiscoFirewall Services Module (FWSM) 1.1 .2, .3, .4 | 2.1 Base, .1 | 2.2 Base, .1 | 2.3 .1, .2, .3, .3(2), .4, .4(7) | 3.1 Base, .1, .1(2), .1(3), .1(4), .1(5), .1(6), .1(7), .2, .3, .3(1), .3(3), .3(11), .3(18), .4, .5, .6, .7, .8, .9, .10, .11, .12, .13 | 3.2 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10 | 4.0 .1, .2, .3
CiscoIOS XE 2.1 .0, .1, .2 | 2.2 .1, .2, .3 | 2.3 .0, .0t, .1t, .2 | 2.4 .0, .1
CiscoOptical Networking Systems (ONS) Firmware 1.23 Base | 1.A3 Base | 1.43 Base | 1.70 Base | 2.27 Base | 2.29 Base | 2.30 Base | 2.31 Base | 2.38 Base | 1.A0 Base | 1.A1 Base | 1.27 Base | 2.14 Base | 2.65 Base | 2.67 Base | 2.72 Base
CiscoOptical Networking Systems (ONS) System Software 2.0 Base | 3.0 Base | 4.0 Base | 4.1 Base
CiscoWebEx Connect Original Release Base
CiscoWebEx Event Center Original Release Base
CiscoWebEx Meet Me Now (MMN) Original Release Base
CiscoWebEx Meeting Center Original Release Base
CiscoWebEx PCNow (PCN) Original Release Base
CiscoWebEx Sales Center Original Release Base
CiscoWebEx Support Center Original Release Base
CiscoWebEx Training Center Original Release Base
CiscoWireless Location Appliance 1.1 .87.0 | 1.2 .17.0 | 2.0 .31.0, .42.0, .42.2, .48.0 | 2.1 .34.0, .39.0
Citrix Systems, Inc.Citrix Licensing 11.5 Base | 11.6 Base
Citrix Systems, Inc.Citrix MetaFrame Presentation Server for Microsoft Windows 2003 4.5 Base
Citrix Systems, Inc.EdgeSight for XenApp 5.0 Base | 5.1 Base | 5.2 Base
Citrix Systems, Inc.Metaframe Password Manager 4.6 Base
Citrix Systems, Inc.Secure Gateway 3.1 Base
Citrix Systems, Inc.Web Interface 5.1 Base | 5.2 Base
Citrix Systems, Inc.XenApp for Windows Server 2003 5.0 x86, x64
Citrix Systems, Inc.XenApp for Windows Server 2008 5.0 x86, x64
Citrix Systems, Inc.XenApp Fundamentals 3.0 Base
Citrix Systems, Inc.XenApp Plug-in for Windows Original Release Base
Citrix Systems, Inc.XenDesktop 3.0 Base | 4.0 Base
F5 Networks, Inc.3DNS 4.5 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14 | 4.6 Base, .1, .2, .3, .4
F5 Networks, Inc.ARX 5.0 .0, .1, .2, .3, .4, .5, .6
F5 Networks, Inc.BIG-IP 4.5 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .14 | 4.6 Base, .1, .2, .3, .4
F5 Networks, Inc.BIG-IP ASM (Application Security Manager) 9.2 .0, .1, .2, .3, .4, .5 | 9.3 .0, .1 | 9.4 .0, .1, .2, .3, .4, .5, .6, .7, .8
F5 Networks, Inc.BIG-IP GTM (Global Traffic Manager) 9.2 .2, .3, .4, .5 | 9.3 .0, .1 | 9.4 .0, .1, .2, .3, .4, .5, .6, .7, .8
F5 Networks, Inc.BIG-IP Link Controller 9.2 .2, .3, .4, .5 | 9.3 .0, .1 | 9.4 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 10.0 .0, .1
F5 Networks, Inc.BIG-IP LTM (Local Traffic Manager) 9.0 .0 | 9.1 .0, .1, .2, .3 | 9.2 .0, .1, .2, .3, .4, .5 | 9.3 .0, .1 | 9.4 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 9.6 .0, .1 | 10.0 .0, .1
F5 Networks, Inc.BIG-IP PSM 9.4 .5, .6, .7, .8 | 10.0 .0, .1
F5 Networks, Inc.BIG-IP SAM version (Secure Access Manager) 8.0 Base
F5 Networks, Inc.BIG-IP WAN Optimization Module 10.0 .0, .1
F5 Networks, Inc.BIG-IP WebAccelerator 9.4 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 10.0 .0, .1
F5 Networks, Inc.Enterprise Manager 1.2 Base | 1.4 Base, .1 | 1.6 Base | 1.8 .0
F5 Networks, Inc.FirePass Controller 5.0 Base | 5.2 Base, .1 | 5.4 Base, .1, .2 | 5.5 Base, .1, .2 | 6.0 .0, .1, .2, .3 | 6.1 Base
F5 Networks, Inc.WANjet Software 4.0 .0 | 4.2 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 5.0 .0, .1, .2
FreeBSD ProjectFreeBSD 6.3 Base | 6.4 Base | 7.0 Base | 7.1 Base | 7.2 Base | 8.0 Base
HPHP Java Development Kit (JDK) 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18, Update 19, Update 20, Update 21 | 6.0 .00, .01, .02, .03, .04, .05, .06, .07, .08, .09
HPHP Java Runtime Environment (JRE) 1.4.2 .00, .01, .02, .03, .04, .05, .06, .07, .08, .09, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24 | 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18, Update 19, Update 20, Update 21 | 6.0 .00, .01, .02, .03, .04, .05, .06, .07, .08, .09
HPHP Java Software Development Kit (SDK) 1.4.2 .00, .01, .02, .03, .04, .05, .06, .07, .08, .09, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20, .21, .22, .23, .24
HPHP Systems Insight Manager (SIM) 4.2 Base, SP1, SP2 | 5.0 Base, SP1, SP2, SP3, SP4, SP5 | 5.1 Base | 5.2 Base, Update 1, Update 2 | 5.3 Base, Update 1 | 6.0 Base
HPHP-UX 11.11/11i Base | 11.23 Base | 11.31 Base
HPOnboard Administrator 3.21 Base | 3.30 Base | 3.31 Base | 3.32 Base
HPProCurve Threat Management Services zl Module ST1.1 .100226, .100330
HPSystem Management Homepage (SMH) 5.0.0 Base | 5.0.1 Base | 5.1.0 Base | 6.0.0 Base | 6.1 Base
IBMDB2 9.1 Base, FP 1, FP 2, FP 3, FP 3a, FP 4, FP 4a, FP5, FP6, FP7, FP7a, FP8 | 9.7 Base, .1
IBMHTTP Server 2.0.47 Base, .1 | 6.0.2 .0, .1, .3, .7, .9, .11, .13, .15, .19, .21, .23, .25, .27, .29, .31, .33, .39 | 6.1.0 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12, .13, .15, .16, .17, .18, .19, .20, .29 | 7.0.0 .7, .9
IBMTivoli Endpoint Manager 8.2 Base
IBMJava Development Kit (JDK) 1.4 Base, .1, .2, .2 SR1, .2 SR2, .2 SR3, .2 SR4, .2 SR5, .2 SR6, .2 SR7, .2 SR8, .2 SR9, .2 SR10, .2 SR11, .2 SR12, .2 SR13, .2 SR13-FP1 | 5.0 Base, SR1, SR2, SR3, SR4, SR5, SR5a, SR6, SR7, SR8, SR8a, SR9, SR10, SR11 | 6.0 Base, SR1, SR2, SR3, SR4, SR5, SR6, SR7
IBMWebSphere Application Server 6.1 .0, .0.1, .0.2, .0.3, .0.4, .0.5, .0.6, .0.7, .0.8, .0.9, .0.10, .0.11, .0.12, .0.13, .0.14, .0.15, .0.17, .0.19, .0.21, .0.23, .0.25, .0.28, .0.29, .0.30
IBMWebSphere Application Server for z/OS 6.0 .1.0, .1.1, .1.2, .2.0, .2.1, .2.2, .2.3, .2.4, .2.5, .2.6, .2.7, .2.8, .2.9, .2.10, .2.11, .2.12, .2.13, .2.15, .2.16, .2.17, .2.18, .2.19, .2.20, .2.21, .2.22, .2.23, .2.24, .2.25, .2.27, .2.29, .2.31, .2.33, .2.34, .2.35, .2.36, .2.37, .2.38 | 6.1 .0.0, .0.1, .0.2, .0.3, .0.4, .0.5, .0.6, .0.7, .0.8, .0.9, .0.10, .0.11, .0.12, .0.13, .0.14, .0.15, .0.16, .0.17, .0.18, .0.19, .0.21, .0.22, .0.23, .0.24, .0.25, .0.27, .0.28, .0.29
IBMWebSphere MQ 7.0 .0.0, .0.1, .0.2, .1.0, .1.1, .1.2, .1.3
IronPort Systems, IncAsyncOS for IronPort EMail Security Appliances IronPort C600 Base | IronPort C300 Base | IronPort C300D Base | IronPort C10 Base | IronPort X1000 Base | 6.4.0 -273 | 6.0.0 -754, -757 | 6.1.0 -301, -304, -306, -307 | 6.1.5 -110 | 6.1.6 -003 | 6.3.5 -003 | 6.3.6 -003 | 6.5.0 -405 | 6.5.1 -005 | IronPort X1050 Base | IronPort X1060 Base | IronPort C160 Base | IronPort C360 Base | IronPort C360D Base | IronPort C650 Base | IronPort C660 Base
Linksys by CiscoSPA921 Firmware 4.1 .15
Linksys by CiscoWAG200G Wireless Router Firmware 1.01 .03
Linksys by CiscoWAG54G Version 2 Wireless Router Firmware 1.00 .06-ST, .19-EU, .19-UK, .19-FR, .23-DE, .23-E1, .23-NZ, .27m-DE, .39-AU, .43-E2 | 1.01 .13-AU, .14-DE, .15-UK, .17-E1, .22-DE, .22-FR, .25-AU, .47-DE | 1.02 .00-EU, .01-FR, .02-E2, .03-AU, .04-NZ, .20, .20-FR, .20-DE, .20-AU, .23-EU
Linksys by CiscoWAG54G Version 3 Wireless Router Firmware 1.00 .20-US, .21-EU, .22-AU, .24-E2, .25-E3, .27-U1, .65-EU
Linksys by CiscoWAG54GS Wireless Router Firmware 1.00.02 Base | 1.00.06 Base | 1.00.08 Base | 1.01.03 Base | 1.01.12 (Annex A), (Annex B)
Linksys by CiscoWAP11 Firmware Original Release Base | 1.3 Base
Linksys by CiscoWAP4400N v1.0 Firmware 1.2 .10, .11, .11-4 WiFi, .11-5 WiFi, .12, .13, .14, .15, .16, .17
Linksys by CiscoWAP55AG Firmware 1.0 .7
Linksys by CiscoWRH54G Wireless-G Home Router Firmware 1.01 Base, .03, .04
Linksys by CiscoWRT160N Version 1.0 Firmware 1.00 .5 | 1.01 .2, .9 | 1.02 .2, .4, .6 | 1.2 .08 | 1.53 .0
Linksys by CiscoWRT160N Version 2.0 Firmware 2.0 .01.012, .01.014, .02.008, .02.011
Linksys by CiscoWRT350N Firmware 1.00 (US) .0 | 1.03 (US) .2, .3, .7 | 1.05 .2, .4 | 2.00 (EU) .10, .11, .12, .13, .14, .15, .16, .17, .19
Linksys by CiscoWRT54G Firmware (Version 4.0) 1.01 Base | 1.02 .1 | 1.30 .1, .7 | 1.41 .2 | 1.42 .2, .3 | 2.0 0.8, 2.2, 2.7 | 2.02 .2 | 2.04 .3, .4 | 3.01 .3 | 3.03 .1, .6 | 4.00 .7 | 4.20 .6
Linksys by CiscoWRT54G Firmware (Version 5.0) 1.00 .0, .1, .2, .4, .6, .9 | 1.01 .0, .1 | 1.02 .0, .2, .4, .5
Linksys by CiscoWRT54G Firmware (Version 6.0) 1.00 .0, .2, .3, .4, .5, .6, .7, .8, .9 | 1.01 .0, .1 | 1.02 .0, .1, .2, .3, .4, .5
Linksys by CiscoWRT54G Firmware (Version 8.0) 8.00 .0, .2, .4, .5
Linksys by CiscoWRT54G Firmware (Version 8.2) 8.2 .03, .04, .05
Linksys by CiscoWRT54GC Router Firmware (Version 1.0) 1.03 .0 | 1.0.7 Base | 1.1.5 Base
Linksys by CiscoWRT54GC Router Firmware (Version 2.0) 1.00 .7
Linksys by CiscoWRT54GL Firmware (Version 1.0) 4.30 .0, .2, .5, .9, .11
Linksys by CiscoWRT54GS Firmware 2.06.1 Base | 2.07.1 Base | 3.17.4 Base | 3.37.2 Base | 3.37.6 Base | 4.50.6 Base | 4.70.6 Base
Microsoft, Inc.Windows 2000 Advanced Server Base, rev.2031, rev.2072, rev.2195, SP1, SP2, SP3, SP4 | Datacenter Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows 7 for 32-bit systems Base | for x64-based systems Base
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base, SP1, SP2 | Datacenter Edition, 64-bit (Itanium) Base, SP2 | Datacenter Edition x64 (AMD/EM64T) Base, SP2 | Enterprise Edition Base, SP1, SP2 | Enterprise Edition, 64-bit (Itanium) Base, SP2 | Enterprise Edition x64 (AMD/EM64T) Base, SP2 | Standard Edition Base, SP1, SP2 | Standard Edition, 64-bit (Itanium) Base, SP2 | Standard Edition x64 (AMD/EM64T) Base, SP2 | Web Edition Base, SP1, SP2
Microsoft, Inc.Windows Server 2008 Datacenter Edition Base, SP1, SP2 | Datacenter Edition, 64-bit Base, SP1, SP2 | Itanium-Based Systems Edition Base, SP1, SP2 | Enterprise Edition Base, SP1, SP2 | Enterprise Edition, 64-bit Base, SP1, SP2 | Essential Business Server Standard Base, SP1, SP2 | Essential Business Server Premium Base, SP1, SP2 | Essential Business Server Premium, 64-bit Base, SP1, SP2 | Standard Edition Base, SP1, SP2 | Standard Edition, 64-bit Base, SP1, SP2 | Web Server Base, SP1, SP2 | Web Server, 64-bit Base, SP1, SP2
Microsoft, Inc.Windows Server 2008 R2 x64-Based Systems Edition Base | Itanium-Based Systems Edition Base
Microsoft, Inc.Windows Vista Home Basic Base, SP1, SP2 | Home Premium Base, SP1, SP2 | Business Base, SP1, SP2 | Enterprise Base, SP1, SP2 | Ultimate Base, SP1, SP2 | Home Basic x64 Edition Base, SP1, SP2 | Home Premium x64 Edition Base, SP1, SP2 | Business x64 Edition Base, SP1, SP2 | Enterprise x64 Edition Base, SP1, SP2 | Ultimate x64 Edition Base, SP1, SP2
Microsoft, Inc.Windows XP Home Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Professional x64 (AMD/EM64T) Base, SP2
MontaVistaMontaVista Linux 5 Base | Professional 4.0.1, 5.0, 5.0.24 | Mobilinux 4.0.2, 4.1, 5.0.24 | CGE 4.0.1
Mozilla FoundationFirefox 3.5 .0, .1, .2, .3, .4, .5, .6, .7, .8 | 3.6 .0
Mozilla FoundationSeaMonkey 2.0 .0, .1, .2, .3
Mozilla FoundationThunderbird 3.0 Base, .1, .2, .3
NetBSD FoundationNetBSD 4.0 Base | 5.0 Base
Novell, Inc.Novell Access Manager 3.1 Base, SP1
OpenBSDOpenBSD 4.5 Base | 4.6 Base
OpenOffice.orgOpenOffice 2.0.0 Base | 2.0.1 Base | 2.0.2 Base | 2.1 .0 | 2.2 .0, .1 | 2.3 .0, .1 | 2.4 .0, .1, .2, .3 | 3.0 .0, .1 | 3.1 Base, .1 | 3.2 Base
Ralf S. Engelschallmod_ssl 2.8.10-1.3.26 Base | 2.8.11-1.3.27 Base | 2.8.12-1.3.27 Base | 2.8.13-1.3.27 Base | 2.8.14-1.3.27 Base | 2.8.15-1.3.28 Base | 2.8.16-1.3.29 Base | 2.8.17-1.3.31 Base | 2.8.18-1.3.31 Base | 2.8.19-1.3.31 Base | 2.8.20-1.3.31 Base | 2.8.21-1.3.32 Base | 2.8.23-1.3.33 Base | 2.8.22-1.3.33 Base
Red Hat, Inc.JBoss Enterprise Web Server EL4 IA-32, x86_64 | EL5 IA-32, x86_64
Red Hat, Inc.Red Hat Desktop 3 i386, x86_64 | 4 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux 5 IA-32, IA-64, PPC, ppc64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Advanced Server 3 amd64 (x86_64), i386, ia64, PPC, s390, s390x, ppc64 | 4 IA-32, IA-64, x86_64, PPC, ppc64, s390, s390x, ppc64iseries | 4.8.z IA-32, IA-64, x86_64, PPC, ppc64, s390, s390x, ppc64iseries
Red Hat, Inc.Red Hat Enterprise Linux Desktop 5 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Supplementary 5.0 IA-32, x86-64 | 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Desktop Workstation 5 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux Enterprise Server 3 amd64 (x86_64), i386, ia64 | 4 IA-32, IA-64, x86_64 | 4.8.z IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Enterprise Linux EUS (Extended Update Support) 5.4.z IA-32, IA-64, PPC, PPC64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Extras 3 IA-32, IA-64, PPC, s390, s390x, x86_64 | 4 IA-32, IA-64, x86_64, PPC, s390, s390x, ppc64 | 4.8.z IA-32, IA-64, PPC, PPC-64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux HPC Node Supplementary 6 x86_64
Red Hat, Inc.Red Hat Enterprise Linux for SAP Original Release x86_64
Red Hat, Inc.Red Hat Enterprise Linux Server Supplementary 6 IA-32, PPC, PPC 64, s390, s390x, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation 3 amd64 (x86_64), i386, ia64 | 4 IA-32, IA-64, x86_64
Red Hat, Inc.Red Hat Enterprise Linux Workstation Supplementary 6 IA-32, x86_64
Red Hat, Inc.Red Hat Enterprise Virtualization x86_64 Base
Red Hat, Inc.RHEL Supplementary 5 IA-32, IA-64, PPC, PPC64, S390, S390x, x86_64
Red Hat, Inc.RHEL Supplementary EUS 5.4.z IA-32, IA-64, PPC, PPC64, s390, s390x, x86_64
Sun Microsystems, Inc.Java Development Kit (JDK) 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18, Update 19, Update 20, Update 21, Update 22, Update 23 | 6.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18
Sun Microsystems, Inc.Java Runtime Environment (JRE) 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18, Update 19, Update 20, Update 21, Update 22, Update 23 | 6.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18
Sun Microsystems, Inc.Java Software Development Kit (SDK) 1.4.2 Base, _01, _02, _03, _04, _05, _06, _07, _08, _09, _10, _11, _12, _13, _14, _15, _16, _17, _18, _19, _20, _21, _22, _23, _24, _25
Sun Microsystems, Inc.Solaris 8 sparc, intel | 9 sparc, intel | 10 sparc, x64/x86
Sun Microsystems, Inc.StarOffice 8 Base, PP 1, PP 2, PP 3, PP 4, PP 5, PP 6, PP 7, PP 8, PP 9, PP 10, PP 11, PP 12, PP 13 | 9 Base, Update 1, Update 2
Sun Microsystems, Inc.Sun GlassFish Enterprise Sever with HADB 2 .1.1
Sun Microsystems, Inc.Sun Java Enterprise System 5 SPARC, x86 | 2005Q4 HP-UX, Linux, Windows
Sun Microsystems, Inc.Sun Java System Application Server Enterprise Edition 8.0 Base | 8.1 2005 Q1 HP-UX, Linux, SPARC, Windows, x86 | 8.2 Intel, Linux, SPARC, Windows
Sun Microsystems, Inc.Sun Java System Directory Server 5.2 Base
Sun Microsystems, Inc.Sun Java System Directory Server Enterprise Edition (DSEE) 6.0 Base | 6.1 Base | 6.2 Base | 6.3 Base, .1
Sun Microsystems, Inc.Sun Java System Web Proxy Server 4.0 Base, .1, .2, .3, .4, .5, .6, .7, .8, .9, .10, .11, .12
Sun Microsystems, Inc.Sun Java System Web Server 6.1 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP7, SP8, SP9, SP10, SP11 | 7.0 Base, Linux, Windows, x86, HP-UX, SPARC, Update 1, Update 1 (Linux), Update 1 (Windows), Update 1 (x86), Update 1 (HP-UX), Update 1 (SPARC), Update 2, Update 2 (Linux), Update 2 (Windows), Update 2 (x86), Update 2 (HP-UX), Update 2 (SPARC), Update 3, Update 4, Update 5, Update 6
VMware, Inc.VMware ESX Server 3.0 .3 | 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base | 4.1 Base




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield