John Sullivan

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.1e-25.el7 **Description** The issue is related to a race condition in the PRNG lock implementation in the `ssleay rand bytes` function in OpenSSL, which can cause a denial of service (application crash) when many TLS sessions are established to a multithreaded server. This can lead to the use of a negative value for a certain length field. Additionally, the vulnerability is associated with a buffer overflow in dynamic memory caused by an integer overflow, allowing a remote attacker to cause a denial of service by establishing multiple TLS sessions. **Recommendations** For OpenSSL version 1.0.1e-25.el7, consider restricting access to the `ssleay rand bytes` function as a temporary workaround until a patch is available. Avoid using the function in multithreaded servers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.