Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
7 Apr 2017 Closed Medium CVSS v2: 5.0 SA142
The SSL Visibility appliance may, under certain circumstances, generate invalid TCP reset (RST) packets to remote SSL servers when terminating an intercepted SSL connection. Some SSL servers may ignore the invalid RST packet received and keep the TCP connection open. A malicious SSL client, under certain circumstances, can exploit this vulnerability to cause TCP connection pool exhaustion at the SSL server, resulting in denial of service. The SSL Visibility appliance is not impacted because it correctly releases its TCP connection state.
SSLV may, under certain circumstances, generate invalid TCP RST packets when terminating an intercepted SSL connection. Some SSL servers may fail to validate the invalid TCP RST packet, ignore it, and keep the TCP connection open. A malicious SSL client, under certain circumstances, can exploit this vulnerability to create a large number of open TCP connections on the SSL server and cause denial of service through TCP connection pool exhaustion. The SSL Visibility appliance is not impacted because it correctly releases its TCP connection state.
Thanks to the NTT-ME Corporation Security Team for reporting the vulnerability via JPCERT/CC.
2018-02-23 SA status moved to Final.
2018-02-22 A fix for SSLV 3.10 is available in 188.8.131.52.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 184.108.40.206.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-05-24 Added reference to JPCERT/CC JVN#91438377.
2017-04-07 initial public release
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.