PT-2014-1876 · Openssl+10 · Openssl+10

Tedu

Published

2014-04-14

Updated

2024-06-15

CVE-2010-5298

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.1g and earlier OpenSSL versions prior to 1.0.1h

Description A race condition in the ssl3 read bytes function in s3 pkt.c allows remote attackers to inject data across sessions or cause a denial of service via an SSL connection in a multithreaded environment when SSL MODE RELEASE BUFFERS is enabled. This issue can lead to a use-after-free and parsing error. The vulnerability can be exploited remotely and may compromise the confidentiality, integrity, and availability of protected information.

Recommendations For OpenSSL versions 1.0.1g and earlier, update to version 1.0.1h or later to resolve the issue. For OpenSSL versions prior to 1.0.1h, update to version 1.0.1h or later to resolve the issue. As a temporary workaround, consider disabling the SSL MODE RELEASE BUFFERS mode until a patch is available.

Exploit

Fix

DoS

Race Condition

NULL Pointer Dereference

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362CWE-476

Related Identifiers

ALT-PU-2014-1734

BDU:2015-09698

CESA-2014_0625

CVE-2010-5298

DSA-2908-1

MGASA-2014-0187

OPENSUSE-SU-2024:10271-1

OPENSUSE-SU-2024:10529-1

OPENSUSE-SU-2024:11127-1

RHSA-2014:0625

RHSA-2014:0628

RHSA-2014:0679

RHSA-2014_0625

RHSA-2014_0679

SUSE-FU-2022:0445-1

SUSE-RU-2015:0769-1

SUSE-SU-2015:0546-1

SUSE-SU-2015:0743-1

SUSE-SU-2015:1185-1

USN-2192-1

Affected Products

Alt Linux

Centos

Huawei Vrp

Ibm Aix

Junos

Mariadb Server

Openssl

Red Hat

Suse

Ubuntu

Vmware Vcenter

PT-2014-1876 · Openssl+10 · Openssl+10

CVE-2010-5298

Weakness Enumeration

Related Identifiers

Affected Products

References · 348