How to resolve CVE-2010-5298 ?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5

  • Red Hat Enterprise Linux 6

  • Red Hat Enterprise Linux 7

  • Red Hat Storage Server 2.1

Issue

  • How to deal with CVE-2010-5298 openssl: freelist misuse causing a possible use-after-free ?

  • How to overcome below definition of CVE-2010-5298 ?

Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g,
when SSL_MODE_RELEASE_BUFFERS is enabled,
allows remote attackers to inject data across sessions or cause a denial of service 
(use-after-free and parsing error) via an SSL connection in a multithreaded environment.

Resolution

  • CVE-2010-5298 did not affect the openssl packages shipped with Red Hat Enterprise Linux 5.

  • Red Hat security errata for Red Hat Enterprise Linux version 6 (openssl) was released via RHSA-2014:0625

  • Red Hat security errata for Red Hat Enterprise Linux version 7 (openssl) was released via RHSA-2014:0679

  • Red Hat security errata for Red Hat Storage Server 2.1 (openssl) was released via RHSA-2014:0628

Diagnostic Steps

External References

openssl
MITRE
NVD

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.