OpenSSL CVE-2015-0207 Vulnerability

description-logoDescription

Severity: ModerateThe DTLSv1_listen function is intended to be stateless and processes the initialClientHello from many peers. It is common for user code to loop over the call toDTLSv1_listen until a valid ClientHello is received with an associated cookie. Adefect in the implementation of DTLSv1_listen means that state is preserved inthe SSL object from one invocation to the next that can lead to a segmentationfault. Errors processing the initial ClientHello can trigger this scenario. Anexample of such an error could be that a DTLS1.0 only client is attempting toconnect to a DTLS1.2 only server.This issue affects OpenSSL version: 1.0.2OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a.This issue was reported to OpenSSL on 27th January 2015 by Per Allansson. Thefix was developed by Matt Caswell of the OpenSSL development team.

affected-products-logoAffected Applications

OpenSSL

CVE References

CVE-2015-0207