CVE-2015-3216 — Race Condition in Openssl

CWE-189 CWE-362 — Race Condition6 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

1.6%

top 18.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Redhat Enterprise Linux Debian Openssl

Timeline

PublishedJul 7

Latest updateMay 14

Description

Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶debiandebian/openssl

▶NVDopenssl/openssl1.0.1e-25.el7

Also affects: Enterprise Linux 7.0

🔴Vulnerability Details

GHSA

GHSA-3522-gq68-vxp6: Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1↗2022-05-14

▶

📋Vendor Advisories

Red Hat

openssl: Crash in ssleay_rand_bytes due to locking regression↗2015-05-28

▶

Debian

CVE-2015-3216: openssl - Race condition in a certain Red Hat patch to the PRNG lock implementation in the...↗2015

▶

💬Community

Bugzilla

CVE-2015-3216 CVE-2015-1789 CVE-2015-1790 CVE-2015-1792 CVE-2015-1791 CVE-2014-8176: OpenSSL multiple security issues [fedora-all]↗2015-06-12

▶

Bugzilla

CVE-2015-3216 openssl: Crash in ssleay_rand_bytes due to locking regression↗2015-06-03

▶