Detections
Analytics
OpenSSL 1.0.2 < 1.0.2j Multiple DoS
medium Nessus Network Monitor Plugin ID 9627
Synopsis
The remote web server is running an outdated instance of OpenSSL and that is affected by multiple Denial of Service (DoS) vulnerabilities.Description
According to its banner, the version of OpenSSL on the remote host is 1.0.2 prior to 1.0.2j and is affected by multiple DoS vulnerabilities :- A flaw exists in the CRL functionality that is triggered when handling a certificate revocation list (CRL). With a specially crafted CRL, a context-dependent attacker can cause the service to crash due to a NULL pointer being dereferenced. (CVE-2016-7052)
- A flaw exists that is triggered when handling many consecutive 'SSL3_AL_WARNING' undefined alerts. By continuously sending warning alerts, a remote attacker can cause a process linked against the library to exhaust available CPU resources and potentially stop responding. (CVE-2016-8610)
Solution
Upgrade OpenSSL to version 1.0.2j or higher.See Also
https://www.openssl.org/news/secadv/20160926.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=af58be768ebb690f78530f796e92b8ae5c9a4401
Plugin Details
Severity: Medium
ID: 9627
Family: Web Servers
Published: 10/6/2016
Updated: 3/6/2019
Nessus ID: 93786
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 4.1
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS v3
Risk Factor: Medium
Base Score: 5.3
Temporal Score: 4.9
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:openssl:openssl
Patch Publication Date: 9/26/2016
Vulnerability Publication Date: 9/26/2016
Reference Information
CVE: CVE-2016-7052, CVE-2016-8610