OpenSSL versions 1.1.0 to 1.1.0h and 1.0.2 to 1.0.2o allow malicious servers to send very large primes to a client during DH(E) based TLS handshakes. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. External Reference: https://www.openssl.org/news/secadv/20180612.txt Upstream Patches: https://github.com/openssl/openssl/commit/ea7abeeabf92b7aca160bdd0208636d4da69f4f4 https://github.com/openssl/openssl/commit/3984ef0b72831da8b3ece4745cac4f8575b19098
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1591102] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1591101]
Analysis: This is essentially a client crash. When a client complied with openssl connects to a malicious server, the server can send a very large prime in a DHKE handshake. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. This flaw cannot be used to attack the openssl server.
This issue has been addressed in the following products: Red Hat OpenShift Application Runtimes Node.js 8 Via RHSA-2018:2552 https://access.redhat.com/errata/RHSA-2018:2552
This issue has been addressed in the following products: Red Hat OpenShift Application Runtimes Node.js 10 Via RHSA-2018:2553 https://access.redhat.com/errata/RHSA-2018:2553
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:3221 https://access.redhat.com/errata/RHSA-2018:3221
This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.29 SP2 Via RHSA-2019:1296 https://access.redhat.com/errata/RHSA-2019:1296
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services on RHEL 6 Via RHSA-2019:1297 https://access.redhat.com/errata/RHSA-2019:1297
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.29 SP2 Via RHSA-2019:1543 https://access.redhat.com/errata/RHSA-2019:1543