CVE-2010-3864

Summary

CVE	CVE-2010-3864
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2010-11-17 16:00:00 UTC
Updated	2023-02-13 04:27:00 UTC
Description	Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.

Risk And Classification

Problem Types: CWE-362

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Openssl	Openssl	0.9.8f	All	All	All
Application	Openssl	Openssl	0.9.8g	All	All	All
Application	Openssl	Openssl	0.9.8h	All	All	All
Application	Openssl	Openssl	0.9.8i	All	All	All
Application	Openssl	Openssl	0.9.8j	All	All	All
Application	Openssl	Openssl	0.9.8k	All	All	All
Application	Openssl	Openssl	0.9.8l	All	All	All
Application	Openssl	Openssl	0.9.8m	All	All	All
Application	Openssl	Openssl	0.9.8n	All	All	All
Application	Openssl	Openssl	0.9.8o	All	All	All
Application	Openssl	Openssl	1.0.0	All	All	All
Application	Openssl	Openssl	1.0.0a	All	All	All
Application	Openssl	Openssl	0.9.8f	All	All	All
Application	Openssl	Openssl	0.9.8g	All	All	All
Application	Openssl	Openssl	0.9.8h	All	All	All
Application	Openssl	Openssl	0.9.8i	All	All	All
Application	Openssl	Openssl	0.9.8j	All	All	All
Application	Openssl	Openssl	0.9.8k	All	All	All
Application	Openssl	Openssl	0.9.8l	All	All	All
Application	Openssl	Openssl	0.9.8m	All	All	All
Application	Openssl	Openssl	0.9.8n	All	All	All
Application	Openssl	Openssl	0.9.8o	All	All	All
Application	Openssl	Openssl	1.0.0	All	All	All
Application	Openssl	Openssl	1.0.0a	All	All	All

References

Reference	Source	Link	Tags
Security Advisory SA57353 - IBM Storage System DS8870 OpenSSL Multiple Vulnerabilities - Secunia	SECUNIA	secunia.com
APPLE-SA-2011-06-23-1 Mac OS X v10.6.8 and Security Update 2011-004	APPLE	lists.apple.com
IBM Security Bulletin: Storage HMC OpenSSL upgrade to address cryptographic vulnerabilities. - United States	CONFIRM	www-01.ibm.com
HPSBMA02658	HP	h20000.www2.hp.com
HP Insight Control for Linux Multiple Vulnerabilities - Secunia.com	SECUNIA	secunia.com
[syslog-ng-announce] syslog-ng Premium Edition 3.2.1a has been released	MLIST	lists.balabit.com
Debian update for openssl - Advisories - Community	SECUNIA	secunia.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com
Red Hat Customer Portal	MISC	access.redhat.com
access.redhat.com \| CVE-2010-3864	MISC	access.redhat.com
Debian -- Security Information -- DSA-2125-1 openssl	DEBIAN	www.debian.org
SecurityFocus	BUGTRAQ	www.securityfocus.com
VMware ESX Server / ESXi OpenSSL Vulnerabilities - Secunia.com	SECUNIA	secunia.com
Slackware update for openssl - Secunia.com	SECUNIA	secunia.com
VMSA-2011-0003	CONFIRM	www.vmware.com
rhn.redhat.com \| Red Hat Support	REDHAT	rhn.redhat.com
[SECURITY] Fedora 12 Update: openssl-1.0.0b-1.fc12	FEDORA	lists.fedoraproject.org
FreeBSD-SA-10:10	FREEBSD	security.FreeBSD.org
OpenSSL TLS Server Extension Parsing Race Condition Vulnerability - Advisories - Community	SECUNIA	secunia.com	Vendor Advisory
About the security content of Mac OS X v10.6.8 and Security Update 2011-004 - Apple Support	CONFIRM	support.apple.com
[SECURITY] Fedora 13 Update: openssl-1.0.0b-1.fc13	FEDORA	lists.fedoraproject.org
Adobe - Security Bulletins: APSB11-11 - Security update available for Adobe Flash Media Server	CONFIRM	www.adobe.com
404 Not Found	CONFIRM	blogs.sun.com
'[security bulletin] HPSBUX02638 SSRT100339 rev.1 - HP-UX Running OpenSSL, Remote Execution of Arbitr' - MARC	HP	marc.info
Bug 649304 – CVE-2010-3864 OpenSSL TLS extension parsing race condition	CONFIRM	bugzilla.redhat.com	Patch
SecurityTracker.com Archives - OpenSSL Buffer Overflow in TLS Server Extension Parsing May Let Remote Users Execute Arbitrary Code	SECTRACK	securitytracker.com	Patch
Ubuntu update for openssl - Advisories - Community	SECUNIA	secunia.com
Security Alerts - Secunia	SECUNIA	secunia.com
openssl.org/news/secadv_20101116.txt	CONFIRM	openssl.org	Patch, Vendor Advisory
SUSE Update for Multiple Packages - Secunia.com	SECUNIA	secunia.com
The Slackware Linux Project: Slackware Security Advisories	SLACKWARE	slackware.com
'[security bulletin] HPSBGN02740 SSRT100741 rev.1 - HP Operations Manager, Operations Agent, Performa' - MARC	HP	marc.info
[SECURITY] Fedora 14 Update: openssl-1.0.0b-1.fc14	FEDORA	lists.fedoraproject.org
[syslog-ng-announce] syslog-ng Premium Edition 3.0.6a has been released	MLIST	lists.balabit.com
FreeBSD update for openssl - Secunia.com	SECUNIA	secunia.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:022	SUSE	lists.opensuse.org
'[security bulletin] HPSBOV02670 SSRT100475 rev.1 - HP OpenVMS running SSL, Remote Denial of Service' - MARC	HP	marc.info
Vulnerability Note VU#737740 - Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL	CERT-VN	www.kb.cert.org	US Government Resource
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com
Webmail : Solution de messagerie professionnelle - OVHcloud- OVH	VUPEN	www.vupen.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)