Bug 1369504 (CVE-2016-2179)
| Summary: | CVE-2016-2179 openssl: DTLS memory exhaustion DoS when messages are not removed from fragment buffer | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | apmukher, bbaranow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dimitris, dosoudil, erik-fedora, fgavrilo, gzaronik, jaeshin, jawilson, jclere, jondruse, jshepherd, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pgier, pjurak, ppalaga, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rstancel, rsvoboda, sardella, slawomir, tmraz, twalsh, vtunka, weli, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openssl 1.0.1u, openssl 1.0.2i | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was discovered that the Datagram TLS (DTLS) implementation could fail to release memory in certain cases. A malicious DTLS client could cause a DTLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:57:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1369505, 1369506, 1369507, 1377623, 1377624, 1377625, 1377626, 1381811, 1381812 | ||
| Bug Blocks: | 1367347 | ||
|
Description
Adam Mariš
2016-08-23 15:11:29 UTC
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1369507] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1369505] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1369506] Another related flaw, with no CVE though: https://github.com/openssl/openssl/commit/cfd40fd39e69f5e3c654ae8fbf9acb1d2a051144 Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i. DTLS buffered message DoS (CVE-2016-2179) ========================================= Severity: Low In a DTLS connection where handshake messages are delivered out-of-order those messages that OpenSSL is not yet ready to process will be buffered for later use. Under certain circumstances, a flaw in the logic means that those messages do not get removed from the buffer even though the handshake has been completed. An attacker could force up to approx. 15 messages to remain in the buffer when they are no longer required. These messages will be cleared when the DTLS connection is closed. The default maximum size for a message is 100k. Therefore the attacker could force an additional 1500k to be consumed per connection. By opening many simulataneous connections an attacker could cause a DoS attack through memory exhaustion. OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2i OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1u This issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The fix was developed by Matt Caswell of the OpenSSL development team. External References: https://www.openssl.org/news/secadv/20160922.txt This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html |