CVE-2010-2939

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.7 through 1.0.0a OpenSSL versions prior to 1.0.0e

Description A double free vulnerability in the ssl3 get key exchange function in the OpenSSL client allows context-dependent attackers to cause a denial of service and possibly execute arbitrary code via a crafted private key with an invalid prime. This issue may also be referred to as a use-after-free issue. The vulnerability can be exploited remotely and may lead to a violation of confidentiality, integrity, and availability of protected information.

Recommendations For OpenSSL versions 0.9.7 through 1.0.0a, update to a version later than 1.0.0a to resolve the issue. For OpenSSL versions prior to 1.0.0e, update to version 1.0.0e or later to resolve the issue. As a temporary workaround, consider restricting the use of ECDH in the OpenSSL client until a patch is available.