CVE-2009-3875

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The MessageDigest.isEqual function in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22, JDK and JRE 6 before Update 17, SDK and JRE 1.3.x before 1.3.1_27, and SDK and JRE 1.4.x before 1.4.2_24 allows remote attackers to spoof HMAC-based digital signatures, and possibly bypass authentication, via unspecified vectors related to "timing attack vulnerabilities," aka Bug Id 6863503.

References

http://java.sun.com/javase/6/webnotes/6u17.html

http://lists.apple.com/archives/security-announce/2009/Dec/msg00000.html

http://lists.apple.com/archives/security-announce/2009/Dec/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00010.html

http://marc.info/?l=bugtraq&m=126566824131534&w=2

http://marc.info/?l=bugtraq&m=131593453929393&w=2

http://marc.info/?l=bugtraq&m=134254866602253&w=2

http://secunia.com/advisories/37231

http://secunia.com/advisories/37239

http://secunia.com/advisories/37386

http://secunia.com/advisories/37581

http://secunia.com/advisories/37841

http://security.gentoo.org/glsa/glsa-200911-02.xml

http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1

http://support.apple.com/kb/HT3969

http://support.apple.com/kb/HT3970

http://www.mandriva.com/security/advisories?name=MDVSA-2010:084

http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html

http://www.redhat.com/support/errata/RHSA-2009-1694.html

http://www.securityfocus.com/bid/36881

http://www.vupen.com/english/advisories/2009/3131

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11847

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12112

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7549

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7913

Details

Source: MITRE

Published: 2009-11-05

Updated: 2018-10-30

Type: CWE-310

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:a:sun:jdk:1.5.0:update1:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update10:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update11:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update11_b03:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update12:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update13:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update14:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update15:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update16:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update17:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update18:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update19:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update2:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update20:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update21:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update3:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update4:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update5:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update6:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update7:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update7_b03:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update8:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.5.0:update9:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update1:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update10:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update11:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update12:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update13:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update14:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update15:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update16:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update2:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update3:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update4:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update5:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update6:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update7:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update8:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:1.6.0:update9:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_1:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_2:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_3:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_4:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_5:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_6:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_7:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_8:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_9:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_10:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_11:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_12:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_13:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_14:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_15:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_16:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_17:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_18:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_19:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_20:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_21:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_22:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_23:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update1:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update11:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update12:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update13:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update14:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update15:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update16:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update17:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update18:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update19:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update2:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update20:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update21:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update3:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update4:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update5:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update6:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update7:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update8:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.5.0:update9:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update10:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update11:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update12:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update13:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update14:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update15:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update16:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update4:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update5:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update6:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update7:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update8:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update9:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_1:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_02:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_3:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_4:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_5:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_6:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_7:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_8:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_9:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_10:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_11:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_12:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_13:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_14:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_15:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_16:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_17:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_18:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_19:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_20:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_21:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_22:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_23:*:*:*:*:*:*:*

OR

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

cpe:2.3:o:sun:solaris:*:*:*:*:*:*:*:*

Configuration 2

AND

OR

cpe:2.3:a:sun:jre:1.3.1_01:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_01a:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_02:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_03:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_04:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_05:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_06:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_07:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_08:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_09:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_10:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_11:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_12:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_13:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_14:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_15:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_16:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_17:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_18:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_19:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_20:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_21:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_22:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_23:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_24:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.3.1_25:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_01:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_01a:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_02:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_03:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_04:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_05:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_06:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_7:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_8:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_9:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_10:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_11:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_12:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_13:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_14:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_15:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_16:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_17:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_18:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_19:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_20:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_21:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_22:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_23:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_24:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.3.1_25:*:*:*:*:*:*:*

OR

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

Tenable Plugins

View all (39 total)

IDNameProductFamilySeverity
89736VMware ESX Java Runtime Environment (JRE) Multiple Vulnerabilities (VMSA-2010-0002) (remote check)NessusVMware ESX Local Security Checks
critical
67960Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2009-1584)NessusOracle Linux Local Security Checks
critical
67075CentOS 5 : java-1.6.0-openjdk (CESA-2009:1584)NessusCentOS Local Security Checks
critical
64831Sun Java JRE Multiple Vulnerabilities (269868 / 269869 / 270476 ...) (Unix)NessusMisc.
high
60691Scientific Linux Security Update : java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
49863SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6741)NessusSuSE Local Security Checks
high
49861SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 6755)NessusSuSE Local Security Checks
high
46176Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2010:084)NessusMandriva Local Security Checks
high
45386VMSA-2010-0002 : VMware vCenter update release addresses multiple security issues in Java JRENessusVMware ESX Local Security Checks
critical
44029RHEL 4 / 5 : IBM Java Runtime in Satellite Server (RHSA-2010:0043)NessusRed Hat Local Security Checks
critical
43872SuSE 11 Security Update : IBM Java 1.6.0 (SAT Patch Number 1748)NessusSuSE Local Security Checks
high
43859SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 6757)NessusSuSE Local Security Checks
high
43857SuSE 11 Security Update : IBM Java 1.4.2 (SAT Patch Number 1744)NessusSuSE Local Security Checks
high
43854SuSE9 Security Update : IBM Java2 JRE and SDK (YOU Patch Number 12565)NessusSuSE Local Security Checks
high
43822SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 6740)NessusSuSE Local Security Checks
high
43599SuSE9 Security Update : IBM Java 1.5.0 (YOU Patch Number 12564)NessusSuSE Local Security Checks
high
43597RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2009:1694)NessusRed Hat Local Security Checks
critical
43079RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2009:1647)NessusRed Hat Local Security Checks
critical
43048RHEL 3 / 4 / 5 : java-1.4.2-ibm (RHSA-2009:1643)NessusRed Hat Local Security Checks
critical
43003Mac OS X : Java for Mac OS X 10.6 Update 1NessusMacOS X Local Security Checks
high
43002Mac OS X : Java for Mac OS X 10.5 Update 6NessusMacOS X Local Security Checks
high
42926openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1613)NessusSuSE Local Security Checks
high
42923openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1613)NessusSuSE Local Security Checks
high
42921openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1613)NessusSuSE Local Security Checks
high
42857SuSE 11 Security Update : Sun Java 1.6.0 (SAT Patch Number 1542)NessusSuSE Local Security Checks
high
42855openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-1541)NessusSuSE Local Security Checks
high
42853openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-1541)NessusSuSE Local Security Checks
high
42851openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-1541)NessusSuSE Local Security Checks
high
42834GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
42828RHEL 5 : java-1.6.0-openjdk (RHSA-2009:1584)NessusRed Hat Local Security Checks
critical
42817Ubuntu 8.10 / 9.04 / 9.10 : openjdk-6 vulnerabilities (USN-859-1)NessusUbuntu Local Security Checks
critical
42806Fedora 10 : java-1.6.0-openjdk-1.6.0.0-23.b16.fc10 (2009-11490)NessusFedora Local Security Checks
high
42805Fedora 12 : java-1.6.0-openjdk-1.6.0.0-33.b16.fc12 (2009-11489)NessusFedora Local Security Checks
high
42802Fedora 11 : java-1.6.0-openjdk-1.6.0.0-30.b16.fc11 (2009-11486)NessusFedora Local Security Checks
high
42460openSUSE Security Update : java-1_5_0-sun (java-1_5_0-sun-1529)NessusSuSE Local Security Checks
high
42457openSUSE Security Update : java-1_5_0-sun (java-1_5_0-sun-1529)NessusSuSE Local Security Checks
high
42455RHEL 4 / 5 : java-1.5.0-sun (RHSA-2009:1571)NessusRed Hat Local Security Checks
critical
42431RHEL 4 / 5 : java-1.6.0-sun (RHSA-2009:1560)NessusRed Hat Local Security Checks
critical
42373Sun Java JRE Multiple Vulnerabilities (269868 / 269869 / 270476 ..)NessusWindows
high