edit-icon download-icon

[Vulnerability notice] CVE-2016-8610: "SSL Death Alert" vulnerability

Last Updated: Apr 02, 2018

CVE identifier

CVE-2016-8610

Vulnerability name

“SSL Death Alert” vulnerability

Vulnerability rating

High

Vulnerability description

During an SSL or TLS handshake in OpenSSL, the client can repeatedly send packed undefined plaintext warning packets of SSL3_RT_ALERT -> SSL3_AL_WARNING. OpenSSL code ignores the undefined warning packets and continues processing subsequent communication content.

Attackers can exploit the vulnerability to pack many undefined warning packets in a single message. Then, the service or process falls in a meaningless cycle, resulting in 100% CPU usage. This vulnerability affects Nginx that widely provides the HTTPS (including SSL and TLS) service on the Internet.

Affected scope

  • OpenSSL All 0.9.8
  • OpenSSL All 1.0.1
  • OpenSSL 1.0.2 through 1.0.2h
  • OpenSSL 1.1.0

Unaffected versions: OpenSSL 1.0.2i, 1.0.2j, 1.1.0a, and 1.1.0b

How to fix or mitigate

Upgrade OpenSSL to the latest version:

  • Upgrade OpenSSL 1.1.0 to OpenSSL 1.1.0b or a later version.
  • Upgrade OpenSSL 1.0.2 to OpenSSL 1.0.2j or a later version.
  • Upgrade OpenSSL 1.0.1 to OpenSSL 1.0.2 or a later version.

Reference

[1]. https://www.openssl.org/
[2]. https://access.redhat.com/security/cve/CVE-2016-8610/
[3]. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401
[4]. http://seclists.org/oss-sec/2016/q4/224

Thank you! We've received your feedback.