The SSL Visibility appliance may, under certain circumstances, generate invalid TCP reset (RST) packets to remote SSL servers when terminating an intercepted SSL connection. Some SSL servers may ignore the invalid RST packet received and keep the TCP connection open. A malicious SSL client, under certain circumstances, can exploit this vulnerability to cause TCP connection pool exhaustion at the SSL server, resulting in denial of service. The SSL Visibility appliance is not impacted because it correctly releases its TCP connection state.
CVE |Affected Version(s)|Remediation
All CVEs | 4.0 and later | Not vulnerable
3.12 | Not vulnerable, fixed in 3.12.1.1.
3.11 | Upgrade to 3.11.3.1.
3.10 | Upgrade to 3.10.4.1.
3.9 | Upgrade to later release with fixes.
3.8.4FC | Upgrade to later release with fixes.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 97525 / NVD: CVE-2016-10259 Impact| Denial of service Description | SSLV may, under certain circumstances, generate invalid TCP RST packets when terminating an intercepted SSL connection. Some SSL servers may fail to validate the invalid TCP RST packet, ignore it, and keep the TCP connection open. A malicious SSL client, under certain circumstances, can exploit this vulnerability to create a large number of open TCP connections on the SSL server and cause denial of service through TCP connection pool exhaustion. The SSL Visibility appliance is not impacted because it correctly releases its TCP connection state.
Thanks to the NTT-ME Corporation Security Team for reporting the vulnerability via JPCERT/CC.
JPCERT/CC JVN#91438377 - <https://jvn.jp/en/jp/JVN91438377/>
2018-02-23 SA status moved to Final.
2018-02-22 A fix for SSLV 3.10 is available in 3.10.4.1.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-05-24 Added reference to JPCERT/CC JVN#91438377.
2017-04-07 initial public release
CPE | Name | Operator | Version |
---|---|---|---|
ssl visibility (sslv) | eq | 4 | |
ssl visibility (sslv) | eq | 3 | |
ssl visibility (sslv) | eq | 3 | |
ssl visibility (sslv) | eq | 3 | |
ssl visibility (sslv) | eq | 3 | |
ssl visibility (sslv) | eq | 3 |