search menu icon-carat-right cmu-wordmark

CERT Coordination Center

OpenSSL Server Name extension Denial of Service

Vulnerability Note VU#661475

Original Release Date: 2008-05-30 | Last Revised: 2008-05-30


A vulnerability exists in OpenSSL that may allow a remote attacker to cause a denial of service.


OpenSSL contains a vulnerability in the way server name extension data is handled that may result in a denial of service. According to OpenSSL Security Advisory [28-Mar-2008]:

If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause it to crash.

Note that this issue may affect OpenSSL versions prior to 0.9.8h.


A remote, unauthorized attacker may be able to cause a denial of service.


Upgrade or Apply Patch
OpenSSL has issued an upgrade and a patch to address this issue. See OpenSSL Security Advisory [28-Mar-2008] for more information. OpenSSL is included in various Linux and UNIX distributions. Please consult the relevant documentation of your distribution to obtain the appropriate updates..

Vendor Information


OpenSSL Affected

Updated:  May 30, 2008



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Refer to OpenSSL Security Advisory [28-Mar-2008] for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector
Base 0 AV:--/AC:--/Au:--/C:--/I:--/A:--
Temporal 0 E:ND/RL:ND/RC:ND
Environmental 0 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND



This issue was reported in OpenSSL Security Advisory [28-Mar-2008]. OpenSSL credits Codenomicon for reporting these issues.

This document was written by Chris Taschner.

Other Information

CVE IDs: CVE-2008-0891
Severity Metric: 14.88
Date Public: 2008-05-28
Date First Published: 2008-05-30
Date Last Updated: 2008-05-30 15:35 UTC
Document Revision: 9

Sponsored by CISA.