CVE-2004-0112

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.7a through 0.9.7c

Description The issue is related to the SSL/TLS handshaking code in OpenSSL, which does not properly check the length of Kerberos tickets during a handshake when using Kerberos ciphersuites. This allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. The exploitation of this issue can lead to a disruption of confidentiality, integrity, and availability of protected information and can be performed remotely.

Recommendations For OpenSSL versions 0.9.7a through 0.9.7c, consider disabling the use of Kerberos ciphersuites as a temporary workaround until a patch is available. Restrict access to the SSL/TLS handshake procedure to minimize the risk of exploitation. Avoid using the Kerberos tickets in the affected SSL/TLS handshake until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.