阿里云漏洞库

Issue summary: Some non-default TLS server configurations can cause unbounded

memory growth when processing TLSv1.3 sessions

Impact summary: An attacker may exploit certain server configurations to trigger

unbounded memory growth that would lead to a Denial of Service

This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is

being used (but not if early_data support is also configured and the default

anti-replay protection is in use). In this case, under certain conditions, the

session cache can get into an incorrect state and it will fail to flush properly

as it fills. The session cache will continue to grow in an unbounded manner. A

malicious client could deliberately create the scenario for this failure to

force a Denial of Service. It may also happen by accident in normal operation.

This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS

clients.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL

1.0.2 is also not affected by this issue.

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://www.openwall.com/lists/oss-security/2024/04/08/5
https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
https://github.openssl.org/openssl/extended-releases/commit/5f8d25770ae6437db...
https://security.netapp.com/advisory/ntap-20240503-0013/
https://www.openssl.org/news/secadv/20240408.txt

CWE-ID	漏洞类型