Bug 1384743 (CVE-2016-8610)
| Summary: | CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bbaranow, bmaxwell, carnil, cdewolf, cperry, csutherl, dandread, darran.lofthouse, dosoudil, dueno, erik-fedora, gzaronik, hkario, jawilson, jclere, kdudka, ktietz, lgao, marcandre.lureau, mbabacek, msugaya, mturk, myarboro, nmavrogi, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, sardella, security-response-team, slawomir, tmraz, twalsh, vtunka, weli, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:00:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1388725, 1388726, 1388727, 1388728, 1388729, 1388730, 1392663, 1392664, 1392708, 1418964, 1418965, 1418966 | ||
| Bug Blocks: | 1384749, 1386080, 1446026, 1457678, 1461790, 1479475 | ||
|
Description
Huzaifa S. Sidhpurwala
2016-10-14 03:49:42 UTC
CVE-2016-8610 was assigned to this issue. The same issue may also affect gnutls servers. However, as gnutls delegates the burden of warning alerts to the application, there may be servers not vulnerable. I think the openssl fix of adding a maximum number of received handshakes is reasonable and there is already a similar at gnutls. https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e Statement: This flaw affects applications that are compiled against OpenSSL or GnuTLS and do not allocate an extra thread for processing ClientHello messages. Nginx is affected by this issue; Apache httpd is not affected by this issue. This issue has been rated as having a security impact of Moderate. It requires an attacker to send a very large amount of SSL ALERT messages to the host network connection. This issue can also be mitigated by configuring firewalls to limit the number of connections per IP address, or use deep packet inspection to reject these type of alert packets. A future update may address this issue. Public via: http://seclists.org/oss-sec/2016/q4/224 Notes: 1. All nginx versions with SSL support compiled in and openssl 1.0.1*, <=1.0.2i, <=1.1.0a are affected. 2. To provide a complete single nginx worker lockup an attacker should be able to provide a rather big SSL ALERT messages flow comparable to the host network connection bandwidth, which is often difficult to achieve. 3. This type of attack can be controlled by various means on the network layer for example by configuring firewalls to limit number of connections per ip address, use deep packet inspection to reject these type of alert packets etc. External Reference: http://security.360.cn/cve/CVE-2016-8610 Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1388728] Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1388727] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1388725] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1388726] This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:0286 https://rhn.redhat.com/errata/RHSA-2017-0286.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0574 https://rhn.redhat.com/errata/RHSA-2017-0574.html Acknowledgments: Name: Shi Lei (Gear Team of Qihoo 360 Inc.) This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2017:1415 https://access.redhat.com/errata/RHSA-2017:1415 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1414 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1413 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658 This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494 This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493 |