OpenSSL HollowByte: 11 bytes can pin server memory and trigger DoS

Colleagues, I’d like to flag a cyber security and TLS issue: OpenSSL has disclosed HollowByte.
Key takeaways:
• As little as 11 bytes in a TLS request can force a server to allocate up to 131 KB of memory.
• On glibc-based systems, this memory may not be released until the process is restarted.
• A fix is already available in releases 4.0.1, 3.6.3, 3.5.7, 3.4.6 and 3.0.21, released on 9 June.
• There is still no CVE, advisory, or changelog note.
Why it matters: standard connection controls may not be enough, so updating and restarting now is critical.
Have you checked which OpenSSL versions are deployed across your infrastructure?
#cybersecurity #OpenSSL #TLS #Vulnerability


Latest comments
No comments yet.