National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2010-3864 Detail

Description

Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.

Source:  MITRE      Last Modified:  11/17/2010

Quick Info

CVE Dictionary Entry:
CVE-2010-3864
Original release date:
11/17/2010
Last revised:
08/22/2016
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
7.6 HIGH
Vector:
(AV:N/AC:H/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore:
10.0
Exploitability Subscore:
4.9
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
High
Authentication:
Not required to exploit
Impact Type:
Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://blogs.sun.com/security/entry/cve_2010_3864_race_condition External Source CONFIRM http://blogs.sun.com/security/entry/cve_2010_3864_race_condition
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777 External Source HP SSRT100413
http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html External Source APPLE APPLE-SA-2011-06-23-1
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051170.html External Source FEDORA FEDORA-2010-17827
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051237.html External Source FEDORA FEDORA-2010-17847
http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051255.html External Source FEDORA FEDORA-2010-17826
http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00006.html External Source SUSE SUSE-SR:2010:022
http://marc.info/?l=bugtraq&m=129916880600544&w=2 External Source HP SSRT100339
http://marc.info/?l=bugtraq&m=130497251507577&w=2 External Source HP SSRT100475
http://marc.info/?l=bugtraq&m=132828103218869&w=2 External Source HP HPSBGN02740
http://openssl.org/news/secadv_20101116.txt Patch; Vendor Advisory External Source CONFIRM http://openssl.org/news/secadv_20101116.txt
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:10.openssl.asc External Source FREEBSD FreeBSD-SA-10:10
http://securitytracker.com/id?1024743 Patch External Source SECTRACK 1024743
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668793 External Source SLACKWARE SSA:2010-326-01
http://support.apple.com/kb/HT4723 External Source CONFIRM http://support.apple.com/kb/HT4723
http://www.adobe.com/support/security/bulletins/apsb11-11.html External Source CONFIRM http://www.adobe.com/support/security/bulletins/apsb11-11.html
http://www.debian.org/security/2010/dsa-2125 External Source DEBIAN DSA-2125
http://www.kb.cert.org/vuls/id/737740 US Government Resource External Source CERT-VN VU#737740
http://www.securityfocus.com/archive/1/archive/1/516397/100/0/threaded External Source BUGTRAQ 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
http://www.vmware.com/security/advisories/VMSA-2011-0003.html External Source CONFIRM http://www.vmware.com/security/advisories/VMSA-2011-0003.html
http://www.vupen.com/english/advisories/2010/3041 External Source VUPEN ADV-2010-3041
http://www.vupen.com/english/advisories/2010/3077 External Source VUPEN ADV-2010-3077
http://www.vupen.com/english/advisories/2010/3097 External Source VUPEN ADV-2010-3097
http://www.vupen.com/english/advisories/2010/3121 External Source VUPEN ADV-2010-3121
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564 External Source CONFIRM http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
https://bugzilla.redhat.com/show_bug.cgi?id=649304 Patch External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=649304
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html External Source MLIST [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html External Source MLIST [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released
https://rhn.redhat.com/errata/RHSA-2010-0888.html External Source REDHAT RHSA-2010:0888

Technical Details

Vulnerability Type (View All)

Change History 3 change records found - show changes