7.6

CVE-2010-3864

Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenSSLOpenSSL Version0.9.8f
OpenSSLOpenSSL Version0.9.8g
OpenSSLOpenSSL Version0.9.8h
OpenSSLOpenSSL Version0.9.8i
OpenSSLOpenSSL Version0.9.8j
OpenSSLOpenSSL Version0.9.8k
OpenSSLOpenSSL Version0.9.8l
OpenSSLOpenSSL Version0.9.8m
OpenSSLOpenSSL Version0.9.8n
OpenSSLOpenSSL Version0.9.8o
OpenSSLOpenSSL Version1.0.0
OpenSSLOpenSSL Version1.0.0a
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 22.15% 0.974
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.6 4.9 10
AV:N/AC:H/Au:N/C:C/I:C/A:C
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

http://www.securityfocus.com/archive/1/516397/100/0/threaded
http://www.vmware.com/security/advisories/VMSA-2011-0003.html
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html
http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html
http://support.apple.com/kb/HT4723
http://secunia.com/advisories/57353
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
http://secunia.com/advisories/42309
http://secunia.com/advisories/42413
http://secunia.com/advisories/43312
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:10.openssl.asc
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668793
http://www.vupen.com/english/advisories/2010/3077
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00006.html
http://secunia.com/advisories/42397
http://www.vupen.com/english/advisories/2010/3097
http://blogs.sun.com/security/entry/cve_2010_3864_race_condition
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051170.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051237.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051255.html
http://marc.info/?l=bugtraq&m=129916880600544&w=2
http://marc.info/?l=bugtraq&m=130497251507577&w=2
http://marc.info/?l=bugtraq&m=132828103218869&w=2
http://openssl.org/news/secadv_20101116.txt
Patch
Vendor Advisory
http://secunia.com/advisories/42241
http://secunia.com/advisories/42243
Vendor Advisory
http://secunia.com/advisories/42336
http://secunia.com/advisories/42352
http://secunia.com/advisories/44269
http://securitytracker.com/id?1024743
Patch
http://www.adobe.com/support/security/bulletins/apsb11-11.html
http://www.debian.org/security/2010/dsa-2125
http://www.kb.cert.org/vuls/id/737740
US Government Resource
http://www.vupen.com/english/advisories/2010/3041
http://www.vupen.com/english/advisories/2010/3121
https://bugzilla.redhat.com/show_bug.cgi?id=649304
Patch
https://rhn.redhat.com/errata/RHSA-2010-0888.html