Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: OpenSSL TLS Extension Parsing Race Condition - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenSSL TLS Extension Parsing Race Condition

A flaw has been found in the OpenSSL TLS server extension affecting OpenSSL 0.9.8f through 0.9.8o, 1.0.0 and 1.0.0a. This vulnerability has been assigned CVE-2010-3864

The following applications are affected by this vulnerability:

"Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.

In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected." [1]

[1] http://openssl.org/news/secadv_20101116.txt

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Guy

414 Posts
ISC Handler
I think the CVE Article is actually CVE-2010-3864...can you confirm?
Anonymous
Posts
Correct CVE-2010-3864
Guy

414 Posts Posts
ISC Handler
I think the CVE Article is actually CVE-2010-3864...can you confirm?
Anonymous
Posts
Excellent, thanks!
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!