OpenSSL TLS Server: Buffer Overflow Vulnerability

Users of OpenSSL TLS server please be advised of a buffer overflow vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)

DSA-2125-1: [DSA-2125-1] openssl – buffer overflow Issue
Vulnerability : buffer overflow
A flaw has been found in the OpenSSL TLS server extension code parsing

which on affected servers can be exploited in a buffer overrun attack.

This allows an attacker to cause an appliation crash or potentially to

execute arbitrary code.

However, not all OpenSSL based SSL/TLS servers are vulnerable: A server

is vulnerable if it is multi-threaded and uses OpenSSL’s internal caching

mechanism. In particular the Apache HTTP server (which never uses OpenSSL

internal caching) and Stunnel (which includes its own workaround) are NOT

affected.

Read more at http://www.criticalwatch.com

 

Advertisements