SSL: OpenSSL SSL3_AL_WARNING Denial of Service
A denial-of-service vulnerability exists in OpenSSL. The vulnerability is due to improper handling of warning packets by the function ssl3_read_bytes(). A remote, unauthenticated attacker can exploit this vulnerability by repeatedly sending SSL Alert Warning records during the handshake. Successful exploitation will cause the excessive resource consumption on the server.
Extended Description
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
Affected Products
Oracle core_rdbms
References
CVE: CVE-2016-8610
Short Name
SSL:OPENSSL-WARNING-DOS
Severity
Major
Recommended
True
Recommended Action
None
Category
SSL
Keywords
CVE-2016-8610 Denial OpenSSL SSL3_AL_WARNING Service of
Release Date
11/15/2016
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3673
False Positive
Unknown
Vendors
Redhat
Paloaltonetworks
Openssl
Oracle
Netapp
Debian
CVSS Score
5.0