Bug 1152961 (CVE-2014-3567) - CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash
Summary: CVE-2014-3567 openssl: Invalid TLS/SSL session tickets could cause memory lea...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3567
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1152854 1152855 1152856 1152857 1154551
Blocks: 1152790 1155552
TreeView+ depends on / blocked
 
Reported: 2014-10-15 09:35 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-10-20 10:46 UTC (History)
50 users (show)

Fixed In Version: openssl 0.9.8zc, openssl 1.0.0o, openssl 1.0.1j
Doc Type: Bug Fix
Doc Text:
A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server.
Clone Of:
Environment:
Last Closed: 2021-10-20 10:46:35 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1652 0 normal SHIPPED_LIVE Important: openssl security update 2014-10-16 18:59:13 UTC
Red Hat Product Errata RHSA-2014:1692 0 normal SHIPPED_LIVE Important: openssl security update 2014-10-22 21:15:52 UTC
Red Hat Product Errata RHSA-2015:0126 0 normal SHIPPED_LIVE Critical: rhev-hypervisor6 security update 2015-02-04 22:52:31 UTC

Description Huzaifa S. Sidhpurwala 2014-10-15 09:35:43 UTC 
OpenSSL upstream reported the following security flaw:

When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack.

OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

This issue was reported to OpenSSL on 8th October 2014.

The fix was developed by Stephen Henson of the OpenSSL core team.

External Reference:

https://www.openssl.org/news/secadv_20141015.txt
Comment 2 Huzaifa S. Sidhpurwala 2014-10-15 14:07:03 UTC 
Upstream patch:

OpenSSL-1.0.1:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7fd4ce6a997be5f5c9e744ac527725c2850de203

OpenSSL-0.9.8:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2ed80d14d7159de7b52c7720128459e8c24a94d5
Comment 3 Huzaifa S. Sidhpurwala 2014-10-15 14:24:25 UTC 
Statement:

This issue does not affect the version of openssl shipped with Red Hat Enterprise Linux 5; Red Hat JBoss Enterprise Application Server 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 because openssl-0.9.8e does not include support for session tickets.
Comment 5 Martin Prpič 2014-10-15 16:30:24 UTC 
IssueDescription:

A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server.
Comment 6 Tomas Hoger 2014-10-15 19:45:21 UTC 
Fixed upstream in OpenSSL versions 0.9.8zc, 1.0.0o and 1.0.1j:

https://www.openssl.org/news/secadv_20141015.txt
Comment 15 errata-xmlrpc 2014-10-16 15:00:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1652 https://rhn.redhat.com/errata/RHSA-2014-1652.html
Comment 18 errata-xmlrpc 2014-10-22 17:16:54 UTC 
This issue has been addressed in the following products:

  Red Hat Storage 2.1

Via RHSA-2014:1692 https://rhn.redhat.com/errata/RHSA-2014-1692.html
Comment 19 errata-xmlrpc 2015-02-04 17:53:07 UTC 
This issue has been addressed in the following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2015:0126 https://rhn.redhat.com/errata/RHSA-2015-0126.html
Note You need to log in before you can comment on or make changes to this bug.