SB2017030612 - Amazon Linux AMI update for openssl

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017030612

SB2017030612 - Amazon Linux AMI update for openssl

Published: March 6, 2017

Security Bulletin ID SB2017030612
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Out-of-bounds read (CVE-ID: CVE-2017-3731)

The vulnerability allows a remote attacker to cause denial of service conditions.

The vulnerability exists due to out-of-bounds read in OpenSSL when processing truncated packets on 32-bit system using certain ciphers. A remote attacker can send a specially crafted truncated packet using CHACHA20/POLY1305 cipher for OpenSSL 1.1.0 or RC4-MD5 for 1.0.2 and trigger denial of service.

Successful exploitation of the vulnerability may allow an attacker to perform denial of service (DoS) attack against vulnerable system.


2) Denial of service (CVE-ID: CVE-2016-8610)

The vulnerability allows a remote unauthenticated user to exhaust memory on the target system.
The weakness is due to improper handling of certain packets by the ssl3_read_bytes() function in 'ssl/s3_pkt.c.
By sending a flood of SSL3_AL_WARNING alerts during the SSL handshake, a remote attacker can consume excessive CPU resources that may lead to OpenSSL library being unavailable.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Remediation

Install update from vendor's website.

References