OSVDB ID: 70847

Title: OpenSSL ClientHello Handshake Message Parsing Invalid Memory Access

Info

Disclosure

Feb 08, 2011

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Feb 08, 2011

Description

OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when an error occurs while parsing malformed ClientHello handshake messages, which may be exploited to trigger an invalid memory access with a crafted ClientHello handshake message. This may allow a remote attacker to cause a denial of service. Certain applications which use SSL may also allow the disclosure of the contents of parsed OCSP extensions.

Classification

Location: Remote / Network Access
Impact: Loss of Confidentiality, Loss of Availability
Solution: Patch / RCS, Upgrade
Exploit: Exploit Unknown
Disclosure: Vendor Verified
OSVDB: Security Software

Solution

Upgrade to version 0.9.8r or 1.0.0d or higher, as they have been reported to fix this vulnerability. In addition, the OpenSSL team has released a patch for some older versions.

Products

The OpenSSL Project

OpenSSL

0.9.8h
0.9.8i
0.9.8j
0.9.8k
1.0.0b
0.9.8l
0.9.8m
1.0.0
0.9.8n
0.9.8o
0.9.8p
0.9.8q
1.0.0c
1.0.0a

IBM Corporation

InfoSphere Balanced Warehouse

C3000
C4000
D5100

Smart Analytics System

1050 for Linux
2050 for Linux
5600 V1
5600 V2
5710

Hardware Management Console (HMC)

V7R7.6.0
V7R7.7.0

Tivoli Netcool/System Service Monitor

4.0.0

Tivoli Composite Application Manager for Transactions

7.1
7.2
7.3
7.3.0.1

Tivoli Workload Scheduler Distributed

8.6 FP02
8.5.1 FP04
8.5 FP03
8.4 FP07

Tivoli Workload Scheduler for Applications

8.6
8.5 FP01
8.4 FP02

Tivoli Network Manager IP Edition

3.8
3.9
3.8.0.7
3.9.0.3

Tivoli Netcool OMNIbus

7.2.1
7.3.0
7.3.1
7.4.0
7.2.1.14
7.3.0.12
7.3.17
7.4.0.2

Tivoli Network Manager

3.8 FP7
3.9 FP3

DS8870

7.0
7.1
7.2

References

Credit

Unknown or Incomplete



Direct URL: http://osvdb.org/70847