PT-2015-3264 · Openssl+9 · Openssl+9

Published

2015-12-03

·

Updated

2024-06-15

·

CVE-2015-3196

CVSS v2.0

4.3

Medium

VectorAV:N/AC:M/Au:N/C:N/I:N/A:P
Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.0 through 1.0.0t OpenSSL versions 1.0.1 through 1.0.1p OpenSSL versions 1.0.2 through 1.0.2d
Description The issue is caused by synchronization errors when using a shared resource in the ssl/s3 clnt.c library of OpenSSL. This can be exploited by a remote attacker to cause a denial of service (race condition and double free) by sending a specially crafted ServerKeyExchange message. The vulnerability affects multi-threaded clients.
Recommendations For OpenSSL versions 1.0.0 through 1.0.0t, update to version 1.0.0t or later. For OpenSSL versions 1.0.1 through 1.0.1p, update to version 1.0.1p or later. For OpenSSL versions 1.0.2 through 1.0.2d, update to version 1.0.2d or later. As a temporary workaround, consider restricting access to the ssl/s3 clnt.c library until a patch is available.

Fix

DoS

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

ALT-PU-2015-2144
ALT-PU-2016-1230
ALT-PU-2016-1231
ALT-PU-2016-1232
ALT-PU-2016-1256
ALT-PU-2016-1263
BDU:2016-01655
CESA-2015_2617
CVE-2015-3196
DSA-3413-1
MGASA-2015-0466
OPENSUSE-SU-2024:10271-1
OPENSUSE-SU-2024:10529-1
OPENSUSE-SU-2024:11127-1
RHSA-2015:2617
RHSA-2015_2617
SUSE-FU-2022:0445-1
SUSE-SU-2015:2230-1
SUSE-SU-2015:2237-1
SUSE-SU-2015:2253-1
SUSE-SU-2016:0786-1
USN-2830-1

Affected Products

Alt Linux
Centos
Cisco Wls
Ibm Aix
Junos
Openssl
Red Hat
Suse
Ubuntu
Virtualbox