7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.335 Low
EPSS
Percentile
97.0%
OpenSSL Team reports:
Rob Hulswit has found a flaw in the OpenSSL TLS server extension
code parsing which on affected servers can be exploited in a buffer
overrun attack.
Any OpenSSL based TLS server is vulnerable if it is multi-threaded
and uses OpenSSL’s internal caching mechanism. Servers that are
multi-process and/or disable internal session caching are NOT
affected.
In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround)
are NOT affected.