#VU45308 Resource management error in OpenSSL - CVE-2011-0014


| Updated: 2020-08-11

Vulnerability identifier: #VU45308

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2011-0014

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability."

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 0.9.8h - 0.9.8p, 1.0.0c - 1.0.0

External links
https://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2011-002.txt.asc
https://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777
https://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html
https://lists.fedoraproject.org/pipermail/package-announce/2011-February/054007.html
https://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
https://marc.info/?l=bugtraq&m=130497251507577&w=2
https://marc.info/?l=bugtraq&m=131042179515633&w=2
https://osvdb.org/70847
https://secunia.com/advisories/43227
https://secunia.com/advisories/43286
https://secunia.com/advisories/43301
https://secunia.com/advisories/43339
https://secunia.com/advisories/44269
https://secunia.com/advisories/57353
https://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.668823
https://support.apple.com/kb/HT4723
https://www.debian.org/security/2011/dsa-2162
https://www.mandriva.com/security/advisories?name=MDVSA-2011:028
https://www.openssl.org/news/secadv_20110208.txt
https://www.redhat.com/support/errata/RHSA-2011-0677.html
https://www.securityfocus.com/bid/46264
https://www.securitytracker.com/id?1025050
https://www.ubuntu.com/usn/USN-1064-1
https://www.vupen.com/english/advisories/2011/0361
https://www.vupen.com/english/advisories/2011/0387
https://www.vupen.com/english/advisories/2011/0389
https://www.vupen.com/english/advisories/2011/0395
https://www.vupen.com/english/advisories/2011/0399
https://www.vupen.com/english/advisories/2011/0603
https://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18985
https://support.f5.com/csp/article/K10534046

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE Linux update for openSSL
Resource management error in HP-UX Running OpenSSL
Resource management error in OpenSSL
Slackware Linux update for openssl