CVE-2015-5262 — commons-httpclient - security update

Description

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

How to fix CVE-2015-5262

To remediate CVE-2015-5262, upgrade the affected package to a fixed version below.

Debian/commons-httpclient—upgrade to 3.1-12 or later
Debian/commons-httpclient—upgrade to 3.1-9+deb6u2 or later
—upgrade to 4.3.6-1 or later
—upgrade to 4.3.6 or later

Is CVE-2015-5262 being exploited?

Low — EPSS is 4.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 3.1-12
from 0, < 3.1-9+deb6u2
from 0, < 4.3.6-1
from 0, < 4.3.6

References (21)

ADVISORYgithub.com/advisories/GHSA-fmj5-wv96-r2ch
ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-5262
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-5262
WEBlists.fedoraproject.org/pipermail/package-announce/2015-October/167962.html