The popular OpenSSL cryptographic library project has patched a flaw that could take down servers through memory exhaustion in denial-of-service attacks.
A malicious client, which sends excessively large online certificate status protocol (OCSP) status requests during connection negotations, can cause massive memory usage growth on the server, the project said.
Eventually, this will lead to a denial-of-service attack on the server through memory exhaustion.
OCSP is an open standard protocol used to check for the revocation status of X.509 digital certificates.
The bug exists in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0. The updated versions are 1.0.1u, 1.0.2i and 1.1.0a.
OpenSSL versions earlier than 1.0.1g are only vulnerable if OCSP stapling support is enabled, and not in the default configuration.
Researcher Shi Lei from Gear Team at Chinese security vendor Qihoo 360 is credited with having found the vulnerability.
A further 15 security fixes are included in the latest round of OpenSSL patches, 14 of which are rated as low severity.
One bug can be exploited by sending empty records when the SSL_peek() function is called, causing OpenSSL 1.0 - the transport layer security set up process - to hang. This vulnerability could also be exploited in denial-of-service attacks.
_(22).jpg&h=140&w=231&c=1&s=0)
_(20).jpg&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
