If PSK identity hints are received by a multi-threaded client then the values are wrongly updated in the parent SSL_CTX structure. This can result in a race condition potentially leading to a double free of the identify hint data.

Found by Stephen Henson (OpenSSL).

Affected configurations

Vulners

Node

opensslopensslRange1.0.2–1.0.2d

opensslopensslRange1.0.1–1.0.1p

opensslopensslRange1.0.0–1.0.0t

VendorProductVersionCPE
opensslopenssl*cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
openssl	openssl	*	cpe:2.3:a:openssl:openssl::::::::

f5 3

openvas 22

nvd 1

veracode 1

debiancve 1

cvelist 1

prion 1

ubuntucve 1

nessus 28

cve 1

ibm 56

centos 1

debian 2

freebsd_advisory 1

osv 2

fedora 1

redhat 2

amazon 1

aix 1

altlinux 4

mageia 1

archlinux 1

cisco 1

fortinet 1

ubuntu 1

symantec 1

freebsd 1

slackware 1

nodejsblog 1

gentoo 1

oraclelinux 8

suse 1

packetstorm 1

ics 1

oracle 2

K55540723 : OpenSSL vulnerability CVE-2015-3196

2015-12-04 00:00:00

SOL55540723 - OpenSSL vulnerability CVE-2015-3196

2015-12-04 00:00:00

SOL90542710 - OpenSSL vulnerabilities CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, and CVE-2015-1794

2015-12-03 00:00:00

openvas

OpenSSL DoS Vulnerability (20151203) - Windows

2016-01-11 00:00:00

OpenSSL DoS Vulnerability (20151203) - Linux

2016-01-11 00:00:00

RedHat Update for openssl RHSA-2015:2617-01

2015-12-15 00:00:00

nvd

CVE-2015-3196

2015-12-06 20:59:06

veracode

Denial Of Service (DoS)

2017-02-10 01:05:59

debiancve

CVE-2015-3196

2015-12-06 20:59:06

cvelist

CVE-2015-3196

2015-12-06 00:00:00

prion

Race condition

2015-12-06 20:59:00

ubuntucve

CVE-2015-3196

2015-12-03 00:00:00

nessus

F5 Networks BIG-IP : OpenSSL vulnerability (K55540723)

2015-12-17 00:00:00

OpenSSL 1.0.0 < 1.0.0t Multiple Vulnerabilities

2015-12-07 00:00:00

OpenSSL 1.0.1 < 1.0.1p Multiple Vulnerabilities

2015-07-09 00:00:00

cve

CVE-2015-3196

2015-12-06 20:59:06

ibm

Security Bulletin: Vulnerability in OpenSSL affects Sterling Connect:Enterprise for UNIX (CVE-2016-0800).

2019-12-18 01:14:08

Security Bulletin: : Vulnerabilities in OpenSSL affect IBM Security Guardium (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196)

2018-06-16 21:40:08

Security Bulletin: Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2015-3194, CVE-2015-3195, CVE-2015-3196)

2018-06-17 15:15:57

centos

openssl security update

2015-12-14 11:00:46

debian

[SECURITY] [DSA 3413-1] openssl security update

2015-12-04 07:43:46

[SECURITY] [DSA 3413-1] openssl security update

2015-12-04 07:43:46

freebsd_advisory

FreeBSD-SA-15:26.openssl

2015-12-06 00:00:00

osv

openssl - security update

2015-12-04 00:00:00

libopenssl-1_1-devel-1.1.1l-1.2 on GA media

2024-06-15 00:00:00

fedora

[SECURITY] Fedora 22 Update: openssl-1.0.1k-13.fc22

2015-12-14 11:54:41

redhat

(RHSA-2015:2617) Moderate: openssl security update

2015-12-14 00:00:00

(RHSA-2016:2957) Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release

2016-12-15 22:02:12

amazon

Medium: openssl

2015-12-14 10:00:00

aix

Vulnerabilities in OpenSSL impact AIX

2016-01-18 10:47:32

altlinux

Security fix for the ALT Linux 8 package openssl10 version 1.0.1q-alt1

2015-12-17 00:00:00

Security fix for the ALT Linux 7 package openssl10 version 1.0.1q-alt1

2015-12-17 00:00:00

Security fix for the ALT Linux 9 package openssl10 version 1.0.1q-alt1

2015-12-17 00:00:00

mageia

Updated openssl packages fix security vulnerability

2015-12-05 13:03:58

archlinux

openssl lib32-openssl: multiple issues

2015-12-05 00:00:00

cisco

Multiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products

2015-12-04 17:38:00

fortinet

OpenSSL Advisory - December 2015

2015-12-10 00:00:00

ubuntu

OpenSSL vulnerabilities

2015-12-07 00:00:00

symantec

SA105 : OpenSSL Vulnerabilities 3-Dec-2015

2015-12-10 08:00:00

freebsd

openssl -- multiple vulnerabilities

2015-12-03 00:00:00

slackware

[slackware-security] openssl

2015-12-16 06:25:41

nodejsblog

December Security Release Summary

2015-12-04 00:00:00

gentoo

OpenSSL: Multiple vulnerabilities

2016-01-29 00:00:00

oraclelinux

openssl security update

2016-03-01 00:00:00

openssl security update

2016-05-12 00:00:00

openssl security update

2016-05-09 00:00:00

suse

Security update for sles12-docker-image (important)

2016-03-16 15:28:52

packetstorm

Orion Elite Hidden IP Browser Pro 7.9 OpenSSL / Tor / Man-In-The-Middle

2017-07-14 00:00:00

ics

Siemens SCALANCE X-200RNA Switch Devices

2022-12-19 12:00:00

oracle

Oracle Critical Patch Update Advisory - April 2016

2016-04-19 00:00:00

Oracle Critical Patch Update - October 2017

2017-10-17 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

AI Score

6.5

Confidence

High

EPSS

0.015

Percentile

86.8%

JSON

Related for OPENSSL:CVE-2015-3196