First published: Tue Sep 06 2011(Updated: )
From the upstream advisory [1]: OpenSSL server code for ephemeral ECDH ciphersuites is not thread-safe, and furthermore can crash if a client violates the protocol by sending handshake messages in incorrect order. (<a href="https://access.redhat.com/security/cve/CVE-2011-3210">CVE-2011-3210</a>) This issue applies to OpenSSL 0.9.8 through 0.9.8s (experimental "ECCdraft" ciphersuites) and to OpenSSL 1.0.0 through 1.0.0d. Affected users of OpenSSL should update to the OpenSSL 1.0.0e release, which contains a patch to correct this issue. If you cannot immediately upgrade, we recommend that you disable ephemeral ECDH ciphersuites if you have enabled them. Thanks to Adam Langley <agl> for identifying and fixing this issue. Only server-side applications that specifically support ephemeral ECDH ciphersuites are affected by the ephemeral ECDH crash bug and only if ephemeral ECDH ciphersuites are enabled in the configuration. You can check to see if application supports ephemeral ECDH ciphersuites by looking for SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTRL_SET_TMP_ECDH, SSL_CTX_set_tmp_ecdh_callback, SSL_set_tmp_ecdh_callback, SSL_CTRL_SET_TMP_ECDH_CB in the source code. [1] <a href="http://www.openssl.org/news/secadv_20110906.txt">http://www.openssl.org/news/secadv_20110906.txt</a> Statement: Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6, as they do not include the support for the elliptic curve cryptography.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
OpenSSL OpenSSL | =0.9.8b | |
OpenSSL OpenSSL | =0.9.8m | |
OpenSSL OpenSSL | =0.9.8c | |
OpenSSL OpenSSL | =0.9.8n | |
OpenSSL OpenSSL | =0.9.8p | |
OpenSSL OpenSSL | =0.9.8e | |
OpenSSL OpenSSL | =0.9.8g | |
OpenSSL OpenSSL | =0.9.8k | |
OpenSSL OpenSSL | =0.9.8d | |
OpenSSL OpenSSL | =0.9.8j | |
OpenSSL OpenSSL | =0.9.8s | |
OpenSSL OpenSSL | =0.9.8l | |
OpenSSL OpenSSL | =0.9.8r | |
OpenSSL OpenSSL | =0.9.8a | |
OpenSSL OpenSSL | =0.9.8o | |
OpenSSL OpenSSL | =0.9.8q | |
OpenSSL OpenSSL | =0.9.8 | |
OpenSSL OpenSSL | =0.9.8i | |
OpenSSL OpenSSL | =0.9.8f | |
OpenSSL OpenSSL | =0.9.8h | |
OpenSSL OpenSSL | =1.0.0c | |
OpenSSL OpenSSL | =1.0.0-beta1 | |
OpenSSL OpenSSL | =1.0.0-beta2 | |
OpenSSL OpenSSL | =1.0.0-beta3 | |
OpenSSL OpenSSL | =1.0.0d | |
OpenSSL OpenSSL | =1.0.0-beta4 | |
OpenSSL OpenSSL | =1.0.0 | |
OpenSSL OpenSSL | =1.0.0-beta5 | |
OpenSSL OpenSSL | =1.0.0a | |
OpenSSL OpenSSL | =1.0.0b |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.