Main Vulnerability Database SB2021122902

SB2021122902 - Multiple vulnerabilities in wolfSSL

Published: December 29, 2021

Security Bulletin ID SB2021122902

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Input validation error (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to processing hello packets of the incorrect side in wolfSSL client. A remote attacker with ability to perform MitM attack can cause denial of service. this affects connections using TLS v1.2 or lesser protocol.

2) Resource management error (CVE-ID: N/A)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to a client side session resumption issue in wolfSSL, when the session resumption cache has been filled up. A remote attacker can hijack session resumption and perform MitM attack against a wolfSSL client or a proxy server that is using wolfSSL to verifying peers.

Remediation

Install update from vendor's website.

References

https://github.com/wolfSSL/wolfssl/releases/tag/v5.1.0-stable