Robert Åšwiä™Cki

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.1.0 through 1.1.0b **Description** The issue is related to the implementation of the CHACHA20-POLY1305 algorithm in OpenSSL, specifically with the handling of corrupted payloads in TLS connections that use *-CHACHA20-POLY1305 ciphersuites. This can lead to a denial of service (DoS) attack, causing OpenSSL to crash. The problem is not considered exploitable beyond a DoS. **Recommendations** For OpenSSL versions 1.1.0 through 1.1.0b, update to version 1.1.0c or later to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL version 1.1.0a **Description** The issue is related to the use of memory after it has been freed in the statem/statem.c component of the OpenSSL library. This can be exploited by a remote attacker to gain unauthorized access to confidential data, cause a denial of service, or impact data integrity through a specially crafted TLS session. The problem arises because the statem/statem.c file in OpenSSL 1.1.0a does not account for memory block movement after a realloc call, allowing remote attackers to cause a denial of service or possibly execute arbitrary code. **Recommendations** For OpenSSL version 1.1.0a, consider updating to a newer version that addresses this issue, as using memory after it has been freed can lead to significant security risks. As a temporary workaround, consider restricting the use of TLS sessions to minimize the risk of exploitation.