CVE-2016-5419

Name of the Vulnerable Software and Affected Versions curl and libcurl versions prior to 7.50.1

Description The issue allows remote attackers to bypass intended restrictions by resuming a TLS session even when the client certificate has changed. This is because libcurl would attempt to resume a TLS session even if the client certificate had changed, which is unacceptable since a server may skip the client certificate check on resume and use the old identity established by the previous certificate. libcurl supports the use of TLS session id/ticket to resume previous TLS sessions, which can be used to speed up subsequent TLS handshakes.

Recommendations For versions prior to 7.50.1, update to version 7.50.1 or later to resolve the issue. As a temporary workaround, consider disabling TLS session resumption until a patch is available. Restrict access to sensitive resources that rely on client certificate authentication to minimize the risk of exploitation. Avoid using TLS session id/ticket in the affected libcurl versions until the issue is resolved.