Summary: | Lacking a check for the return value of SSL_renegotiate() | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | UVScan <daniel.zhao1002> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | critical | Keywords: | PatchAvailable |
Priority: | P2 | ||
Version: | 2.5-HEAD | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Mac OS X 10.1 |
Description
UVScan
2022-08-17 06:19:31 UTC
If httpd does not check the return value of SSL_renegotiate(), it could cause a DoS attack. Since SSL renegotiation process needs many computing resources and the current httpd does not break the renegotiation process when the return value is 0 (for error), we can initiate many renegotiation requests to exhaust the resources of devices or services, causing a DoS attack. |