Vulnerability Note VU#386964
OpenSSL SSLv2 client code fails to properly check for NULL
A flaw in the OpenSSL library could allow a remote attacker to cause a denial of service on an affected application.
The OpenSSL toolkit implements the Secure Sockets Layer (SSL versions 2 and 3) and Transport Layer Security (TLS version 1) protocols as well as a general purpose cryptographic library. A missing check for NULL exists in the SSLv2 client get_server_hello() function. As a result, an affected client application using OpenSSL to create an SSLv2 connection to a malicious server could be caused to crash.
A remote attacker could cause an affected client application to crash, creating a denial of service.
Upgrade or apply a patch from the vendor
Patches have been released to address this issue. Please see the Systems Affected section of this document for more information.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||15 Sep 2006||02 Oct 2006|
|F5 Networks, Inc.||Affected||15 Sep 2006||21 Sep 2006|
|FreeBSD, Inc.||Affected||15 Sep 2006||28 Sep 2006|
|OpenPKG||Affected||-||02 Oct 2006|
|OpenSSL||Affected||06 Sep 2006||28 Sep 2006|
|Oracle Corporation||Affected||-||17 Jan 2007|
|Red Hat, Inc.||Affected||15 Sep 2006||02 Oct 2006|
|rPath||Affected||-||02 Oct 2006|
|Slackware Linux Inc.||Affected||15 Sep 2006||02 Oct 2006|
|SUSE Linux||Affected||15 Sep 2006||02 Oct 2006|
|Trustix Secure Linux||Affected||15 Sep 2006||02 Oct 2006|
|Ubuntu||Affected||15 Sep 2006||28 Sep 2006|
|Force10 Networks, Inc.||Not Affected||15 Sep 2006||22 Jul 2011|
|Fujitsu||Not Affected||15 Sep 2006||29 Sep 2006|
|Global Technology Associates||Not Affected||15 Sep 2006||18 Sep 2006|
CVSS Metrics (Learn More)
Thanks to Tavis Ormandy and Will Drewry of the Google Security Team for reporting this vulnerability.
This document was written by Chad R Dougherty.
- CVE IDs: CVE-2006-4343
- Date Public: 28 Sep 2006
- Date First Published: 28 Sep 2006
- Date Last Updated: 22 Jul 2011
- Severity Metric: 0.32
- Document Revision: 30
If you have feedback, comments, or additional information about this vulnerability, please send us email.