CVE-2014-3509

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.0 through 1.0.0n OpenSSL versions 1.0.1 through 1.0.1i

Description A race condition in the ssl parse serverhello tlsext function in OpenSSL, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data. This issue may lead to disruption of confidentiality, integrity, and availability of protected information. The issue can be exploited remotely.

Recommendations For OpenSSL versions 1.0.0 through 1.0.0n, update to version 1.0.0n or later. For OpenSSL versions 1.0.1 through 1.0.1i, update to version 1.0.1i or later. As a temporary workaround, consider disabling the ssl parse serverhello tlsext function until a patch is available. Restrict access to the t1 lib.c library to minimize the risk of exploitation. Avoid using the Elliptic Curve (EC) Supported Point Formats Extension data in the affected API endpoint until the issue is resolved.