Rapid7 Vulnerability & Exploit Database

RHSA-2010:0888: openssl security update

Back to Search

RHSA-2010:0888: openssl security update

Severity
8
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Published
11/17/2010
Created
07/25/2018
Added
01/04/2011
Modified
07/04/2017

Description

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3)and Transport Layer Security (TLS v1) protocols, as well as afull-strength, general purpose cryptography library.A race condition flaw has been found in the OpenSSL TLS server extensionparsing code, which could affect some multithreaded OpenSSL applications.Under certain specific conditions, it may be possible for a remote attackerto trigger this race condition and cause such an application to crash, orpossibly execute arbitrary code with the permissions of the application.(CVE-2010-3864)Note that this issue does not affect the Apache HTTP Server. Refer to RedHat Bugzilla bug 649304 for more technical details on how to determine ifyour application is affected.Red Hat would like to thank Rob Hulswit for reporting this issue.All OpenSSL users should upgrade to these updated packages, which contain abackported patch to resolve this issue. For the update to take effect, allservices linked to the OpenSSL library must be restarted, or the systemrebooted.

Solution(s)

  • redhat-upgrade-openssl
  • redhat-upgrade-openssl-debuginfo
  • redhat-upgrade-openssl-devel
  • redhat-upgrade-openssl-perl
  • redhat-upgrade-openssl-static

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;