OpenSSL has silently fixed HollowByte, an unauthenticated denial-of-service flaw that can be triggered with only an 11-byte malicious payload and can leave servers memory-bloated until restart. Okta’s Red Team warns that organizations using OpenSSL in products like NGINX, Apache, Node.js, Python, Ruby, PHP, MySQL, and PostgreSQL should upgrade immediately to the patched releases. #OpenSSL #HollowByte #NGINX #Apache #Nodejs #Python #Ruby #PHP #MySQL #PostgreSQL
Keypoints
- HollowByte lets unauthenticated attackers trigger a DoS on OpenSSL servers.
- The attack can be launched with just 11 bytes of malicious data.
- Vulnerable OpenSSL versions allocate memory before validating the TLS payload size.
- Repeated connections can fragment heap memory and permanently bloat server RSS.
- OpenSSL 4.0.1 and backported releases 3.6.3, 3.5.7, 3.4.6, and 3.0.21 fix the issue.