There is a vulnerability in some versions of the OpenSSL software that can enable an attacker to crash remote clients or servers using a specially constructed record.
The flaw gives an attacker the ability to use a single TLS record to take out remote machines that are running a vulnerable version of the OpenSSL software. The OpenSSL team has released a patch for the vulnerability, which affects versions 0.9.8f-0.9.8m.
In TLS connections, certain incorrectly formatted records can cause an OpenSSL
client or server to crash due to a read attempt at NULL.
Affected versions depend on the C compiler used with OpenSSL:
– If ‘short’ is a 16-bit integer, this issue applies only to OpenSSL 0.9.8m.
– Otherwise, this issue applies to OpenSSL 0.9.8f through 0.9.8m.
Users of the vulnerable versions should upgrade immediately.