SSL Death Alert

Submitted on 28. October 2016 - 15:01 by rischi.
Last update on 19. January 2017 - 14:56.

IDs:

CVE-2016-8610

Keywords:

ssl, tls, DoS, OpenSSL

Description:

A denial of service flaw was found in the way the SSL/TLS protocol handels ALERT packets during an SSL handshake.

Airlock WAF is not affected.

Details:

A flaw was found in the way OpenSSL processed ALERT packets during an SSL handshake. An attacker basically sends a large number of plaintext WARNING packets after CLIENTHELLO, which causes OpenSSL to go into an endless loop, consequently taking 100% CPU. This may cause certain applications compiled against OpenSSL to hang and may not be able to serve content to the clients. [1]

Airlock WAF is not affected, because Apache httpd allocates an extra thread for processing ClientHello messages which prevents this DoS vulnerability. The same applies for stunnel in the SSL VPN module.

Resolution:

no action required.

Component:

Airlock

Airlock Vulnerability Status:

Does not affect Airlock

Back-end Vulnerability Status:

Does not affect back-end behind Airlock

Reference:

Bug 1384743 - CVE-2016-8610 SSL/TLS libraries: Malformed plain-text ALERT packets could cause remote DoS

Main menu

Navigation

User menu

You are here

Main menu

Search form

Navigation

User menu

You are here

SSL Death Alert