Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability bulletin CVE-2009-4355

OpenSSL: memory leak of CRYPTO_cleanup_all_ex_data

Synthesis of the vulnerability

An attacker can generate a memory leak in some applications using the OpenSSL CRYPTO_cleanup_all_ex_data() function.
Severity: 2/4.
Creation date: 13/01/2010.

Description of the vulnerability

The CRYPTO_cleanup_all_ex_data() function of OpenSSL frees used data. However in OpenSSL versions superior to 0.9.8f, this function does not free the COMP_CTX structure related to zlib compression, which creates a memory leak.

Applications using the OpenSSL CRYPTO_cleanup_all_ex_data() function are thus impacted by a denial of service.

In 2008, the Apache httpd mod_ssl module used this function, and was thus impacted by a denial of service (VIGILANCE-VUL-7969). This vulnerability was corrected by modifying mod_ssl, instead of correcting the root of the problem (OpenSSL).

The PHP module with Curl also uses this function, and is thus impacted by a denial of service. In 2010, developers decided to not correct PHP/Curl, but to correct the root of the problem (OpenSSL).

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: OpenSSL: memory leak of CRYPTO_cleanup_all_ex_data.
Keywords: 2008 2010 Apache COMP_CTX CRYPTO_cleanup_all_ex_data Curl OpenSSL PHP leak memory mod_ssl.
Identifiers: c02079216, CVE-2009-4355, DSA-1970-1, FEDORA-2010-5357, HPSBUX02517, MDVSA-2010:022, RHSA-2010:0054-01, SSA:2010-060-02, SSRT100058, TLSA-2010-4, VIGILANCE-VUL-9348, VMSA-2010-0009, VMSA-2010-0009.1.
Pointed by: VIGILANCE-VUL-7969.

Information sources

Publications and announces
Source example: [SECURITY] memory leak DoS in php module for httpd with SSLv3 requests CVE-2009-4355

Solutions for this vulnerability

Patch or workaround

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerability database



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française