OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
Overview
A recently discovered vulnerability in OpenSSL, dubbed the HollowByte flaw, can cause unpatched servers to reserve up to 131 KB of memory for a tiny 11-byte TLS request that never arrives. This issue can lead to a denial-of-service condition, where the server's memory is tied up until the process is restarted. The problem was identified by Okta's Red Team, which reported it without a CVE or formal advisory. OpenSSL issued a fix for this vulnerability in June, but the lack of documentation means many users may remain unaware of the risk. As a result, organizations running affected OpenSSL versions should ensure they apply the update to avoid potential service disruptions.
Key Takeaways
- Affected Systems: OpenSSL servers, particularly on glibc systems
- Action Required: Apply the OpenSSL patch released in June 2023 to mitigate the vulnerability.
- Timeline: Disclosed on June 2023
Original Article Summary
Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts. OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the
Impact
OpenSSL servers, particularly on glibc systems
Exploitation Status
No active exploitation has been reported at this time. However, organizations should still apply patches promptly as proof-of-concept code may exist.
Timeline
Disclosed on June 2023
Remediation
Apply the OpenSSL patch released in June 2023 to mitigate the vulnerability.
Additional Information
This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.
Related Topics: This incident relates to CVE, Vulnerability, Update, and 1 more.