CVE-2015-3196

Published: Dec 6, 2015Modified: May 6, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message.

Affected (65)

Products: Hp: Icewall Sso, Icewall Sso Agent Option · Openssl: Openssl · Oracle: Vm Virtualbox · +4 more

Show all products

2 products

Icewall Sso

Icewall Sso Agent Option

1 product

1 product

1 product

6 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Server Tus

Enterprise Linux Workstation

1 product

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Hp Icewall Sso	Version 10.0
Hp Icewall Sso Agent Option	Version 10.0

Configuration B

36 vulnerable

Vulnerable Software	Affected Versions
Openssl Openssl	Version 1.0.0
Openssl Openssl	Version 1.0.0a
Openssl Openssl	Version 1.0.0b
Openssl Openssl	Version 1.0.0c
Openssl Openssl	Version 1.0.0d
Openssl Openssl	Version 1.0.0e
Openssl Openssl	Version 1.0.0f
Openssl Openssl	Version 1.0.0g
Openssl Openssl	Version 1.0.0h
Openssl Openssl	Version 1.0.0i
Openssl Openssl	Version 1.0.0j
Openssl Openssl	Version 1.0.0k
Openssl Openssl	Version 1.0.0l
Openssl Openssl	Version 1.0.0m
Openssl Openssl	Version 1.0.0n
Openssl Openssl	Version 1.0.0o
Openssl Openssl	Version 1.0.0p
Openssl Openssl	Version 1.0.0q
Openssl Openssl	Version 1.0.0r
Openssl Openssl	Version 1.0.0s
Openssl Openssl	Version 1.0.1
Openssl Openssl	Version 1.0.1a
Openssl Openssl	Version 1.0.1b
Openssl Openssl	Version 1.0.1c
Openssl Openssl	Version 1.0.1d
Openssl Openssl	Version 1.0.1e
Openssl Openssl	Version 1.0.1f
Openssl Openssl	Version 1.0.1g
Openssl Openssl	Version 1.0.1h
Openssl Openssl	Version 1.0.1i
Openssl Openssl	Version 1.0.1j
Openssl Openssl	Version 1.0.1k
Openssl Openssl	Version 1.0.1l
Openssl Openssl	Version 1.0.1m
Openssl Openssl	Version 1.0.1n
Openssl Openssl	Version 1.0.1o

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Oracle Vm Virtualbox	From 4.3.0 to 4.3.35
Oracle Vm Virtualbox	From 5.0.0 to 5.0.13

Configuration D

19 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 22
Redhat Enterprise Linux Desktop	Version 6.0
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Server	Version 6.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Server Aus	Version 7.2
Redhat Enterprise Linux Server Aus	Version 7.3
Redhat Enterprise Linux Server Aus	Version 7.4
Redhat Enterprise Linux Server Eus	Version 6.7
Redhat Enterprise Linux Server Eus	Version 7.2
Redhat Enterprise Linux Server Eus	Version 7.3
Redhat Enterprise Linux Server Eus	Version 7.4
Redhat Enterprise Linux Server Eus	Version 7.5
Redhat Enterprise Linux Server Eus	Version 7.6
Redhat Enterprise Linux Server Tus	Version 7.2
Redhat Enterprise Linux Server Tus	Version 7.3
Redhat Enterprise Linux Server Tus	Version 7.6
Redhat Enterprise Linux Workstation	Version 6.0
Redhat Enterprise Linux Workstation	Version 7.0

Configuration E

6 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 15.04
Canonical Ubuntu Linux	Version 15.10
Debian Debian Linux	Version 7.0
Debian Debian Linux	Version 8.0

Related CWEs

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (52)

http://fortiguard.com/advisory/openssl-advisory-december-2015

Source: secalert@redhat.com

Third Party Advisory

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759

Source: secalert@redhat.com

Third Party Advisory

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761

Source: secalert@redhat.com

Third Party Advisory

http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173801.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-updates/2015-12/msg00070.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://lists.opensuse.org/opensuse-updates/2015-12/msg00071.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://marc.info/?l=bugtraq&m=145382583417444&w=2

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://openssl.org/news/secadv/20151203.txt

Source: secalert@redhat.com

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2015-2617.html

Source: secalert@redhat.com

Third Party Advisory

http://rhn.redhat.com/errata/RHSA-2016-2957.html

Source: secalert@redhat.com

Third Party Advisory

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl

Source: secalert@redhat.com

Third Party Advisory

http://www.debian.org/security/2015/dsa-3413

Source: secalert@redhat.com

Third Party Advisory

http://www.fortiguard.com/advisory/openssl-advisory-december-2015

Source: secalert@redhat.com

Third Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Source: secalert@redhat.com

PatchThird Party Advisory

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Source: secalert@redhat.com

PatchThird Party Advisory

http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

Source: secalert@redhat.com

Third Party Advisory

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html

Source: secalert@redhat.com

Third Party Advisory

http://www.securityfocus.com/bid/78622

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1034294

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.754583

Source: secalert@redhat.com

Third Party Advisory

http://www.ubuntu.com/usn/USN-2830-1

Source: secalert@redhat.com

Third Party Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf

Source: secalert@redhat.com

https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=3c66a669dfc7b3792f7af0758ea26fe8502ce70c

Source: secalert@redhat.com

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04944173

Source: secalert@redhat.com

Third Party Advisory

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05398322

Source: secalert@redhat.com

Third Party Advisory

https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40100

Source: secalert@redhat.com

Third Party Advisory

http://fortiguard.com/advisory/openssl-advisory-december-2015