OpenSSL is a widely used cryptographic library. The vulnerability allows an attacker to crash the OpenSSL library by sending a specially crafted packet of data. This can lead to a denial-of-service (DoS) attack or potentially allow an attacker to execute arbitrary code on the system.
You're affected if you use OpenSSL versions 1.0.2k-fossil-softened, 1.1.1d, and 3.0.2. Check with: openssl s_client -connect www.example.com:443 -tls1.2 2>&1 | grep 'SSLv3 method' or in OpenSSL: openssl s_client -connect www.example.com:443 -tls1_2 2>/dev/null
Version info not stated in advisory.
Upgrade to OpenSSL 1.1.1l or later.
- For immediate mitigation, disable SSLv3 by setting the SSL_OP_NO_SSLv3 option when initializing OpenSSL.