PT-2015-3264 · Openssl+9 · Openssl+9

Publicado

2015-12-03

·

Atualizado

2024-06-15

·

CVE-2015-3196

CVSS v2.0

4.3

Média

VetorAV:N/AC:M/Au:N/C:N/I:N/A:P
Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.0 through 1.0.0t OpenSSL versions 1.0.1 through 1.0.1p OpenSSL versions 1.0.2 through 1.0.2d
Description The issue is caused by synchronization errors when using a shared resource in the ssl/s3 clnt.c library of OpenSSL. This can be exploited by a remote attacker to cause a denial of service (race condition and double free) by sending a specially crafted ServerKeyExchange message. The vulnerability affects multi-threaded clients.
Recommendations For OpenSSL versions 1.0.0 through 1.0.0t, update to version 1.0.0t or later. For OpenSSL versions 1.0.1 through 1.0.1p, update to version 1.0.1p or later. For OpenSSL versions 1.0.2 through 1.0.2d, update to version 1.0.2d or later. As a temporary workaround, consider restricting access to the ssl/s3 clnt.c library until a patch is available.

Correção

DoS

Race Condition

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-362

Identificadores relacionados

ALT-PU-2015-2144
ALT-PU-2016-1230
ALT-PU-2016-1231
ALT-PU-2016-1232
ALT-PU-2016-1256
ALT-PU-2016-1263
BDU:2016-01655
CESA-2015_2617
CVE-2015-3196
DSA-3413-1
MGASA-2015-0466
OPENSUSE-SU-2024:10271-1
OPENSUSE-SU-2024:10529-1
OPENSUSE-SU-2024:11127-1
RHSA-2015:2617
RHSA-2015_2617
SUSE-FU-2022:0445-1
SUSE-SU-2015:2230-1
SUSE-SU-2015:2237-1
SUSE-SU-2015:2253-1
SUSE-SU-2016:0786-1
USN-2830-1

Produtos afetados

Alt Linux
Centos
Cisco Wls
Ibm Aix
Junos
Openssl
Red Hat
Suse
Ubuntu
Virtualbox