#VU1083 Denial of service

Published: 2016-10-24 | Updated: 2018-03-30

Vulnerability identifier: #VU1083

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8610


Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

The vulnerability allows a remote unauthenticated user to exhaust memory on the target system.
The weakness is due to improper handling of certain packets by the ssl3_read_bytes() function in 'ssl/s3_pkt.c.
By sending a flood of SSL3_AL_WARNING alerts during the SSL handshake, a remote attacker can consume excessive CPU resources that may lead to OpenSSL library being unavailable.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Update to version 1.0.2j, 1.1.0b.

Vulnerable software versions

OpenSSL: 1.0.1 - 1.0.1u, 1.0.2 - 1.0.2i, 1.1.0 - 1.1.0a, 0.9.8 - 0.9.8zg, 1.0.0 - 1.0.0s, 0.9.1b - 0.9.1c, 0.9.7 - 0.9.7m, 0.9.3 - 0.9.3a, 0.9.5 - 0.9.5a, 0.9.6 - 0.9.6m


External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability