5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.598 Medium
EPSS
Percentile
97.8%
DISPUTED OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not
properly restrict client-initiated renegotiation within the SSL and TLS
protocols, which might make it easier for remote attackers to cause a
denial of service (CPU consumption) by performing many renegotiations
within a single connection, a different vulnerability than CVE-2011-5094.
NOTE: it can also be argued that it is the responsibility of server
deployments, not a security library, to prevent or limit renegotiation when
it is inappropriate within a specific environment.
Author | Note |
---|---|
jdstrand | Protocol issue. Nothing to be done at this time. Marking low because while renegotiation makes the DoS faster, standard DoS methods still apply for SSL servers that need to setup the SSL connection. per Redhat, should not affect httpd/mod_ssl |
mdeslaur | this CVE is specific to openssl, nss is in CVE-2011-5094 we’re not going to fix this, since it’s disputed |
orchilles.com/2011/03/ssl-renegotiation-dos.html
vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html
www.ietf.org/mail-archive/web/tls/current/msg07553.html
www.nessus.org/plugins/index.php?view=single&id=53491
launchpad.net/bugs/cve/CVE-2011-1473
nvd.nist.gov/vuln/detail/CVE-2011-1473
security-tracker.debian.org/tracker/CVE-2011-1473
www.cve.org/CVERecord?id=CVE-2011-1473