OpenSSL patches high-severity vulnerability

By

Could be abused for denial-of-service attacks.

The popular OpenSSL cryptographic library project has patched a flaw that could take down servers through memory exhaustion in denial-of-service attacks.

OpenSSL patches high-severity vulnerability

A malicious client, which sends excessively large online certificate status protocol (OCSP) status requests during connection negotations, can cause massive memory usage growth on the server, the project said.

Eventually, this will lead to a denial-of-service attack on the server through memory exhaustion.

OCSP is an open standard protocol used to check for the revocation status of X.509 digital certificates.

The bug exists in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0. The updated versions are 1.0.1u, 1.0.2i and 1.1.0a.

OpenSSL versions earlier than 1.0.1g are only vulnerable if OCSP stapling support is enabled, and not in the default configuration. 

Researcher Shi Lei from Gear Team at Chinese security vendor Qihoo 360 is credited with having found the vulnerability.

A further 15 security fixes are included in the latest round of OpenSSL patches, 14 of which are rated as low severity.

One bug can be exploited by sending empty records when the SSL_peek() function is called, causing OpenSSL 1.0 - the transport layer security set up process - to hang. This vulnerability could also be exploited in denial-of-service attacks.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?