Nortel Response to 2 Potential DoS Vulnerabilities in OpenSSL
| Description: |
Two vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS (Denial of Service). Some Nortel products contain this software as a component and thus are potentially affected by the vulnerabilities addressed. This bulletin provides a multi-product consolidated response for the Nortel products which are potentially affected. This bulletin addresses the following potential vulnerabilities: 1) CVE-2008-0891 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0891) Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a crafted packet. NOTE: some of these details are obtained from third party information. 2) CVE-2008-1672 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1672) OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites." Before taking any action please ensure that you are viewing the latest official version of this security advisory by referencing http://www.nortel.com/securityadvisories |
| Type: |
Security Advisories |
| Number: |
2008008922, Rev 2 |
| Status: |
Retired |
| Date: |
2008-08-06 |
