Resource management error in OpenSSL - CVE-2011-3210
Published: September 22, 2011 / Updated: July 28, 2020
Vulnerability identifier: #VU32856
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2011-3210
CWE-ID: CWE-399
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSL Software Foundation
Affected software:
OpenSSL
OpenSSL
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol.
How to mitigate CVE-2011-3210
Install update from vendor's website.
Sources
- http://cvs.openssl.org/chngview?cn=21337
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://marc.info/?l=bugtraq&m=132750648501816&w=2
- http://marc.info/?l=bugtraq&m=133226187115472&w=2
- http://openssl.org/news/secadv_20110906.txt
- http://secunia.com/advisories/57353
- http://support.apple.com/kb/HT5784
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:137
- http://www.securitytracker.com/id?1026012
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
- https://bugzilla.redhat.com/show_bug.cgi?id=736079