Bleepingcomputer
HollowByte Vulnerability in OpenSSL Allows DoS with 11-Byte Payload
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
The HollowByte vulnerability in OpenSSL enables unauthenticated attackers to trigger a denial-of-service (DoS) condition using a malicious payload of just 11 bytes. Discovered by Okta's Red Team, this flaw exploits how OpenSSL handles memory allocation during the TLS handshake. Vulnerable versions allocate memory based on the declared size in the handshake header before validating the actual data. This can lead to significant memory exhaustion, as the server may reserve large memory chunks for unfulfilled connections. The issue affects widely used software that relies on OpenSSL, including web servers like NGINX and Apache, as well as various language runtimes and databases. The OpenSSL team has released a fix, silently included in version 4.0.1 and backported to older versions. Organizations are advised to update to the patched versions to mitigate the risk. Although DoS vulnerabilities are typically less severe than those allowing data theft, they can still cause operational disruptions.
Key Points: • HollowByte allows DoS attacks on OpenSSL servers with an 11-byte payload. • The vulnerability affects multiple software projects, including NGINX and Apache. • OpenSSL has released a fix, and organizations should prioritize updating their systems.