OpenSSL TLS Extension Parsing Race Condition

Published: 2010-11-16
Last Updated: 2010-11-16 21:05:21 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

A flaw has been found in the OpenSSL TLS server extension affecting OpenSSL 0.9.8f through 0.9.8o, 1.0.0 and 1.0.0a. This vulnerability has been assigned CVE-2010-3864

The following applications are affected by this vulnerability:

"Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.

In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected." [1]

[1] http://openssl.org/news/secadv_20101116.txt

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

4 comment(s)

Comments

I think the CVE Article is actually CVE-2010-3864...can you confirm?
Correct CVE-2010-3864
I think the CVE Article is actually CVE-2010-3864...can you confirm?
Excellent, thanks!

Diary Archives