A flaw in the way OpenSSL API function X509_issuer_and_serial_hash() has been disclosed that may lead applications using it to crash, causing a potential denial-of-service (DoS) to their users.
The flaw lies in the way a hash is calculated from the Issuer and Serial Number data of an X509 certificate, which can make OpenSSL fail returning a NULL value. In turn, this can crash the application calling the function.
The exploit comes from a maliciously created X509 certificate containing specially crafted Issuer and Serial Number fields that trigger this behavior.
Note that OpenSSL itself never calls this function, only third party applications that use it are at risk.
You can find the CVE submission here:
It affects multiple applications like Tenable.sc 5.13.0 to 5.17.0, NetApp 5, and others.
The affected versions are OpenSSL 1.1.1i and below. If you are using any version in the 1.1.1 to 1.1.1i range, you should upgrade to 1.1.1j.
OpenSSL 1.0.2 is no longer supported by the OpenSSL team, but our Extended Lifecycle Support team has prepared the updated OpenSSL version 1.0.2 for deployment for our users, so if you rely on it for your application, it will be safe.
Extended Lifecycle Support service helps alleviate the urgency to either upgrade servers or leave them vulnerable to future exploits. The service makes it possible to run the retired operating system on any server for 4 more years past the EOL date. By using an end-of-life extended support system, administrators can protect critical servers from potential vulnerabilities while creating a migration plan for future upgrades.
CloudLinux offers continuing updates and support for end-of-life Linux distributions such as CentOS 6, Oracle Linux 6 and Ubuntu 16.04 LTS. There is no need for any changes to your servers — a simple single command to add a new repository file is all that’s needed. After the repository is added, CloudLinux continues to provide updates and security patches until June 2024. Learn more about Extended Lifecycle Support service on https://elsportal.com/