Software Engineering Institute

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.

According to RFC2712, TLS allows clients and servers to negotiate cipher suites to meet specific security and administrative policies. In order to provide Kerberos-based authentication, TLS supports the Kerberos cipher suites.

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL contain a vulnerability in code that processes SSL/TLS handshakes using Kerberos cipher suites. This vulnerability can be exploited by a remote attacker using a specially crafted SSL/TLS handshake to a server configured to use the Kerberos cipher suites. When the server attempts to process this request, OpenSSL could crash. OpenSSL 0.9.6 is not affected.

Further information is available in an advisory from OpenSSL and NISCC/224012/OpenSSL/2.

A remote, unauthenticated attacker could cause a denial of service in an application that uses OpenSSL with Kerberos cipher suites.

Upgrade or Patch
Upgrade to OpenSSL 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries.