HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload

HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload
OpenSSL has silently fixed HollowByte, an unauthenticated denial-of-service flaw that can be triggered with only an 11-byte malicious payload and can leave servers memory-bloated until restart. Okta’s Red Team warns that organizations using OpenSSL in products like NGINX, Apache, Node.js, Python, Ruby, PHP, MySQL, and PostgreSQL should upgrade immediately to the patched releases. #OpenSSL #HollowByte #NGINX #Apache #Nodejs #Python #Ruby #PHP #MySQL #PostgreSQL

Keypoints

  • HollowByte lets unauthenticated attackers trigger a DoS on OpenSSL servers.
  • The attack can be launched with just 11 bytes of malicious data.
  • Vulnerable OpenSSL versions allocate memory before validating the TLS payload size.
  • Repeated connections can fragment heap memory and permanently bloat server RSS.
  • OpenSSL 4.0.1 and backported releases 3.6.3, 3.5.7, 3.4.6, and 3.0.21 fix the issue.

Read More: https://www.bleepingcomputer.com/news/security/hollowbyte-ddos-flaw-bloats-openssl-server-memory-with-11-byte-payload/