MNBSD-2016-16: Excessive CPU consumption from undefined SSL/TLS alert messages

Severity: Unknown

Affected Package: openssl

Summary: Excessive CPU consumption from undefined SSL/TLS alert messages

Description

Due to improper handling of alert packets (the 'SSL Death Alert' issue), OpenSSL would consume an excessive amount of CPU processing undefined/warning alert messages. A remote attacker could send crafted plaintext ALERT packets to drive a TLS/SSL server to full CPU usage, causing denial of service. Patched in the 0.8.4 release.

Affected Versions

openssl

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2016-8610

Published: November 05, 2016
Last Modified: November 05, 2016