A flaw was found in the way OpenSSL processed ALERT packets during an SSL handshake. A attacker basically sends a large number of plaintext WARNING pkgs after CLIENTHELLO, which causes OpenSSL to go into a endless loop (while the attacker keeps on sending more alert packets), consequently taking 100% CPU. This may cause certain applications compiled against OpenSSL to hang and may not be able to serve content to the clients. This is specially true about for servers which do not for or allocate extra thread for the processing of ClientHello like nginx. This is fixed in OpenSSL upstream commit via: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401
CVE-2016-8610 was assigned to this issue.
The same issue may also affect gnutls servers. However, as gnutls delegates the burden of warning alerts to the application, there may be servers not vulnerable. I think the openssl fix of adding a maximum number of received handshakes is reasonable and there is already a similar at gnutls. https://gitlab.com/gnutls/gnutls/commit/1ffb827e45721ef56982d0ffd5c5de52376c428e
Statement: This flaw affects applications that are compiled against OpenSSL or GnuTLS and do not allocate an extra thread for processing ClientHello messages. Nginx is affected by this issue; Apache httpd is not affected by this issue. This issue has been rated as having a security impact of Moderate. It requires an attacker to send a very large amount of SSL ALERT messages to the host network connection. This issue can also be mitigated by configuring firewalls to limit the number of connections per IP address, or use deep packet inspection to reject these type of alert packets. A future update may address this issue.
Public via: http://seclists.org/oss-sec/2016/q4/224
Notes: 1. All nginx versions with SSL support compiled in and openssl 1.0.1*, <=1.0.2i, <=1.1.0a are affected. 2. To provide a complete single nginx worker lockup an attacker should be able to provide a rather big SSL ALERT messages flow comparable to the host network connection bandwidth, which is often difficult to achieve. 3. This type of attack can be controlled by various means on the network layer for example by configuring firewalls to limit number of connections per ip address, use deep packet inspection to reject these type of alert packets etc.
External Reference: http://security.360.cn/cve/CVE-2016-8610
Created gnutls tracking bugs for this issue: Affects: fedora-all [bug 1388728]
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1388727]
Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1388725]
Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1388726]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2017:0286 https://rhn.redhat.com/errata/RHSA-2017-0286.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:0574 https://rhn.redhat.com/errata/RHSA-2017-0574.html
Acknowledgments: Name: Shi Lei (Gear Team of Qihoo 360 Inc.)
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2017:1415 https://access.redhat.com/errata/RHSA-2017:1415
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2017:1414 https://access.redhat.com/errata/RHSA-2017:1414
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2017:1413 https://access.redhat.com/errata/RHSA-2017:1413
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493