Updated: 2024-11-30 02:33:09.416219
Description:
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | MEDIUM | 5 |
CVSS Version 3.x | HIGH | 7.5 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
CentOS 6 ELS | openssl | 1.0.1e | 7.5 | HIGH | Released | CLSA-2021:1632262317 | 2022-05-05 12:01:44 | |
CloudLinux 6 ELS | openssl | 1.0.1e | 7.5 | HIGH | Released | 2021-12-09 07:57:06 | ||
Oracle Linux 6 ELS | openssl | 1.0.1e | 7.5 | HIGH | Not Vulnerable | CLSA-2021:1634922881 | 2021-12-09 07:57:06 | |
Ubuntu 16.04 ELS | openssl | 1.0.2g-1 | 7.5 | HIGH | Not Vulnerable | 2021-12-09 07:57:06 |