SSL Handshake Vulnerability in Apache HttpComponents HttpClient
CVE-2015-5262

Currently unrated

Key Information:

Vendor: Fedoraproject
Status: Fedora; Ubuntu Linux
Vendor: CVE Published:; 27 October 2015

Summary

The Apache HttpComponents HttpClient prior to version 4.3.6 contains a vulnerability in the SSLConnectionSocketFactory that fails to respect the http.socket.timeout configuration during the SSL handshake process. This oversight can be exploited by remote attackers, leading to denial of service situations where HTTPS calls can hang indefinitely, disrupting service and availability.

References

http://www.oracle.com/technetwork/security-advisory/cpuju...

x_refsource_CONFIRM

http://svn.apache.org/viewvc?view=revision&revision=1626784

x_refsource_CONFIRM

https://jenkins.io/security/advisory/2018-02-26/

x_refsource_CONFIRM

Timeline

Vulnerability published
Oct 27, 2015
Vulnerability Reserved
Jul 1, 2015