OpenSSL TLS Extension Parsing Race Condition
A flaw has been found in the OpenSSL TLS server extension affecting OpenSSL 0.9.8f through 0.9.8o, 1.0.0 and 1.0.0a. This vulnerability has been assigned CVE-2010-3864
The following applications are affected by this vulnerability:
"Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.
In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected." [1]
[1] http://openssl.org/news/secadv_20101116.txt
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Keywords: OpenSSL CVE20103864
4 comment(s)
×
Diary Archives
Comments
Mike Aylor
Nov 16th 2010
1 decade ago
Guy
Nov 16th 2010
1 decade ago
Mike Aylor
Nov 16th 2010
1 decade ago
Mike Aylor
Nov 16th 2010
1 decade ago