漏洞类别:General remote services
漏洞等级: 
漏洞信息
The OpenSSL Project is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a general purpose cryptography library.
OpenSSL contains the following vulnerabilities:
- TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads.
- Applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL.
- There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure that handles input lengths divisible by, but longer than 256 bits.
Affected Versions:
OpenSSL version prior to 1.1.0c
漏洞危害
Successful exploitation allows attacker to cause denial of service.
解决方案
OpenSSL version 1.1.0c have been released to address these issues. Refer to OpenSSL Advisory to obtain more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论