5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.713 High
EPSS
Percentile
98.0%
DISPUTED OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not
properly restrict client-initiated renegotiation within the SSL and TLS
protocols, which might make it easier for remote attackers to cause a
denial of service (CPU consumption) by performing many renegotiations
within a single connection, a different vulnerability than CVE-2011-5094.
NOTE: it can also be argued that it is the responsibility of server
deployments, not a security library, to prevent or limit renegotiation when
it is inappropriate within a specific environment.
Author | Note |
---|---|
jdstrand | Protocol issue. Nothing to be done at this time. Marking low because while renegotiation makes the DoS faster, standard DoS methods still apply for SSL servers that need to setup the SSL connection. per Redhat, should not affect httpd/mod_ssl |
mdeslaur | this CVE is specific to openssl, nss is in CVE-2011-5094 we’re not going to fix this, since it’s disputed |
orchilles.com/2011/03/ssl-renegotiation-dos.html
vincent.bernat.im/en/blog/2011-ssl-dos-mitigation.html
www.educatedguesswork.org/2011/10/ssltls_and_computational_dos.html
www.ietf.org/mail-archive/web/tls/current/msg07553.html
www.nessus.org/plugins/index.php?view=single&id=53491
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1473
launchpad.net/bugs/cve/CVE-2011-1473
nvd.nist.gov/vuln/detail/CVE-2011-1473
security-tracker.debian.org/tracker/CVE-2011-1473