Korean
<< Back
VID 22552
Severity 30
Port 80, ...
Protocol TCP
Class WWW
Detailed Description According to its banner, the remote web server is running a version of OpenSSL 1.0.0 earlier than 1.0.0j. As such, the OpenSSL library itself is reportedly affected by a denial of service vulnerability.

An integer underflow error exists in the file 'ssl/d1_enc.c' in the function 'dtls1_enc'. When in CBC mode, TLS/DTLS record length values and explicit initialization vector length values related to TLS/DTLS packets are not handled properly, which can lead to memory corruption and application crashes.

* References:
http://openssl.org/news/secadv_20120510.txt
http://www.openssl.org/news/changelog.html
http://cvs.openssl.org/chngview?cn=22547
https://bugzilla.redhat.com/show_bug.cgi?id=820686


* Platforms Affected:
OpenSSL 1.0.0 before 1.0.0j
Recommendation Upgrade to the latest version of OpenSSL (1.0.0j or later), available from the OpenSSL Web site at http://www.openssl.org/
Related URL CVE-2012-2333 (CVE)
Related URL 53476 (SecurityFocus)
Related URL (ISS)