Resource Management Errors Affecting openssl package, versions [0.9.7,1.1.0-pre1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
11.38% (94th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Resource Management Errors vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UNMANAGED-OPENSSL-2318748
  • published14 Dec 2021
  • disclosed17 Aug 2010
  • creditUnknown

Introduced: 17 Aug 2010

CVE-2010-2939  (opens in a new tab)
CWE-770  (opens in a new tab)

How to fix?

Upgrade openssl to version 1.1.0-pre1 or higher.

Overview

Affected versions of this package are vulnerable to Resource Management Errors. Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue.

CVSS Base Scores

version 3.1