CVE-2015-1791

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8 before 0.9.8zg OpenSSL versions 1.0.0 before 1.0.0s OpenSSL versions 1.0.1 before 1.0.1n OpenSSL versions 1.0.2 before 1.0.2b

Description The issue is related to a race condition in the ssl3 get new session ticket function, which can be exploited by remote attackers to cause a denial of service (double free and application crash) or possibly have other unspecified impacts. This occurs when a NewSessionTicket is provided during an attempt to reuse a ticket that had been obtained earlier, specifically in multi-threaded client scenarios. The vulnerability is associated with errors in accessing shared resources.

Recommendations For OpenSSL versions 0.9.8 before 0.9.8zg, update to version 0.9.8zg or later. For OpenSSL versions 1.0.0 before 1.0.0s, update to version 1.0.0s or later. For OpenSSL versions 1.0.1 before 1.0.1n, update to version 1.0.1n or later. For OpenSSL versions 1.0.2 before 1.0.2b, update to version 1.0.2b or later. As a temporary workaround, consider restricting access to the ssl3 get new session ticket function to minimize the risk of exploitation.