CVE-2016-6305

Name of the Vulnerable Software and Affected Versions OpenSSL version 1.1.0 before 1.1.0a OpenSSL versions 1.1.0 through 1.1.0 (excluding 1.1.0a and later)

Description The issue is related to the ssl3 read bytes function in record/rec layer s3.c in OpenSSL. It allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL peek call. This is due to insufficient input validation.

Recommendations For OpenSSL version 1.1.0 before 1.1.0a, update to version 1.1.0a or later to resolve the issue. As a temporary workaround, consider disabling the ssl3 read bytes function until a patch is available. Restrict access to the record/rec layer s3.c module to minimize the risk of exploitation. Avoid using the SSL peek call with zero-length records in the affected OpenSSL versions until the issue is resolved.