On 28/09/2023 11:23, Manish Patidar wrote:
Thanks Mark for your reply.
We have extended support for this Version.
To access extended support for advice on this please raise an issue via
your organisation's login to github.openssl.org.
Matt
Is there any way to avoid this vulnerability ?
On Tue, Sep 26, 2023 at 10:38 PM Mark Hack <markhack@xxxxxxxxxxxx
<mailto:markhack@xxxxxxxxxxxx>> wrote:
The MITRE CVE dictionary describes this issue as:
** DISPUTED ** OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does
not properly restrict client-initiated renegotiation within the SSL
and TLS protocols, which might make it easier for remote attackers
to cause a denial of service (CPU consumption) by performing many
renegotiations within a single connection, a different vulnerability
than CVE-2011-5094. NOTE: it can also be argued that it is the
responsibility of server deployments, not a security library, to
prevent or limit renegotiation when it is inappropriate within a
specific environment.
Besides this being a questionable CVE, the version you are using
went EOS a long time ago unless you have an extended contract.
Regards
Mark Hack
On 9/26/23 11:56, Manish Patidar wrote:
Hi
Our product is using OpenSSL 1.0.2 , one of the vulnerability
scan tool reported vulnerability : CVE-2011-1473.
Vulnerability description:
Opensl doesn't properly restrict client-initiated renegotiation
within the SSL and TLS protocols, which might make it easier for
remote attackers to cause a denial of service (CPU consumption) by
performing many renegotiations within a single connection.
Only solution available for this vulnerability, is to disable
renegotiation using SSL_OP_NO_RENEGOTIATION option. But this
option is not available in the OpenSSL 1.0.2 version.
Any suggestions, how to fix this vulnerability in OpenSSL 1.0.2
version.
Regards
Manish
