Race Condition Affecting openssl package, versions [,1.0.0t)[1.0.1, 1.0.1p)[1.0.2, 1.0.2d)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
12.81% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-OPENSSL-2318696
  • published14 Dec 2021
  • disclosed6 Dec 2015
  • creditUnknown

Introduced: 6 Dec 2015

CVE-2015-3196  (opens in a new tab)
CWE-362  (opens in a new tab)

How to fix?

Upgrade openssl to version 1.0.0t, 1.0.1p, 1.0.2d or higher.

Overview

Affected versions of this package are vulnerable to Race Condition ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message.

References

CVSS Base Scores

version 3.1