OpenSSL vulnerability close to denial of service attack is possible




OpenSSL has released patches for a vulnerability that can be exploited to perform a denial of service -aanval on vulnerable servers. The severity of the leak is assessed in the category of ‘high’. OpenSSL also close thirteen minor leaks.

OpenSSL writes that the vulnerability has received characterized CVE-2016-6304 and is present in various versions of the software. The team advises users to perform an update to version 1.1.0a, 1.0.2i or 1.0.1u, depending on the available version. The leak makes it possible for an attacker to get through a large OCSP status request extension to allow filling up the memory of a server. He can cause by repeatedly sending requests. This may crash or reboot the server writes Akamai.

Servers with a standard configuration are vulnerable to such an attack, even if they have turned off support for OCSP. Servers are equipped with the ‘no-ocsp’ option or that use a standard configuration with version 1.0.1g or higher are not affected. Servers in the latter category are only vulnerable if an application enabling OCSP stapling support.

OpenSSL had the patches for the leak discovered earlier this week by the Chinese company Qihoo 360 announced . The software is used to establish secure connections and constitutes an implementation of SSL and TLS.


In: A Technology & Gadgets Asked By: [23616 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »