SB2011092203 - Resource management error in OpenSSL
Published: September 22, 2011 Updated: July 28, 2020
Security Bulletin ID
SB2011092203
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource management error (CVE-ID: CVE-2011-3210)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.
Remediation
Install update from vendor's website.
References
- http://cvs.openssl.org/chngview?cn=21337
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://marc.info/?l=bugtraq&m=132750648501816&w=2
- http://marc.info/?l=bugtraq&m=133226187115472&w=2
- http://openssl.org/news/secadv_20110906.txt
- http://secunia.com/advisories/57353
- http://support.apple.com/kb/HT5784
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:137
- http://www.securitytracker.com/id?1026012
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
- https://bugzilla.redhat.com/show_bug.cgi?id=736079