The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Novell Open Enterprise Server: denial of service via HTTPSTK

Synthesis of the vulnerability 

An attacker can generate several SSL errors in HTTPSTK of Novell Open Enterprise Server, in order to trigger a denial of service.
Vulnerable products: OES.
Severity of this weakness: 2/4.
Creation date: 04/12/2013.
Références of this bulletin: 7014063, CVE-2013-3707, VIGILANCE-VUL-13866.

Description of the vulnerability 

The HTTPSTK service listens on port 8009/tcp.

However, when a SSL session ends with an error, the HTTPSTK service does not call the SSL_free() and SSL_shutdown() functions. The TCP socket thus stay in the CLOSE_WAIT state.

An attacker can therefore generate several SSL errors in HTTPSTK of Novell Open Enterprise Server, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness note impacts software or systems such as OES.

Our Vigil@nce team determined that the severity of this threat note is medium.

The trust level is of type confirmed by a trusted third party, with an origin of document.

An attacker with a expert ability can exploit this computer weakness.

Solutions for this threat 

Novell Open Enterprise Server: new novell-nrm packages.
New packages are available:
  novell-nrm-2.0.2-297.305.302.3
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an applications vulnerabilities watch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.