| VID |
22551 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
According to its banner, the remote web server is running a version of OpenSSL 1.0.1 earlier than 1.0.1c. As such, the OpenSSL library itself is reportedly affected by a denial of service vulnerability.
An integer underflow error exists in the file 'ssl/d1_enc.c' in the function 'dtls1_enc'. When in CBC mode, TLS/DTLS record length values and explicit initialization vector length values related to TLS/DTLS packets are not handled properly, which can lead to memory corruption and application crashes.
* References:
http://openssl.org/news/secadv_20120510.txt
http://www.openssl.org/news/changelog.html
http://cvs.openssl.org/chngview?cn=22547
https://bugzilla.redhat.com/show_bug.cgi?id=820686
* Platforms Affected:
OpenSSL 1.0.1 before 1.0.1c |
| Recommendation |
Upgrade to the latest version of OpenSSL (1.0.1c or later), available from the OpenSSL Web site at http://www.openssl.org/ |
| Related URL |
CVE-2012-2333 (CVE) |
| Related URL |
53476 (SecurityFocus) |
| Related URL |
(ISS) |
|
