SB2014101515 - Session Ticket Memory Leak in openssl (Alpine package)
Published: October 15, 2014
Security Bulletin ID
SB2014101515
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Session Ticket Memory Leak (CVE-ID: CVE-2014-3567)
The vulnerability allows a remote attacker to cause denial of service.The vulnerability exists due to an error when handling integrity of session tickets in OpenSSL. A remote attacker can send a large number of invalid session tickets and cause denial of service conditions.
Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=f09cdaa244ef0d0d6f7357ab368810ceaa7a1083
- https://git.alpinelinux.org/aports/commit/?id=6dba1238f59654c63719462c31fc13056eec4974
- https://git.alpinelinux.org/aports/commit/?id=4c5cc5515933595f9aabe78a9b98d28ea24a3a92
- https://git.alpinelinux.org/aports/commit/?id=4dc9b437132ccb0949aa179ce0b3cbeb14fad028