CVE-2015-3216

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.1e-25.el7

Description The issue is related to a race condition in the PRNG lock implementation in the ssleay rand bytes function in OpenSSL, which can cause a denial of service (application crash) when many TLS sessions are established to a multithreaded server. This can lead to the use of a negative value for a certain length field. Additionally, the vulnerability is associated with a buffer overflow in dynamic memory caused by an integer overflow, allowing a remote attacker to cause a denial of service by establishing multiple TLS sessions.

Recommendations For OpenSSL version 1.0.1e-25.el7, consider restricting access to the ssleay rand bytes function as a temporary workaround until a patch is available. Avoid using the function in multithreaded servers to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.