CVE-2015-5262

Name of the Vulnerable Software and Affected Versions Apache HttpComponents HttpClient versions prior to 4.3.6

Description The issue is related to the http/conn/ssl/SSLConnectionSocketFactory.java component in Apache HttpComponents HttpClient, which ignores the http.socket.timeout parameter during the SSL handshake procedure. This can be exploited by a remote attacker to cause a denial of service, resulting in an HTTPS call hang. The estimated number of potentially affected devices and details about real-world incidents are not specified.

Recommendations For versions prior to 4.3.6, update to version 4.3.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of the SSLConnectionSocketFactory.java component until a patch is available. Avoid using the http.socket.timeout configuration setting in the affected API endpoint until the issue is resolved.