Summary

Security Advisory ID : BSA-2022-627

Component : OpenSSL

Revision : 1.0

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

Affected Products

• Brocade Fabric OS versions before v9.0.0, v.7.4.2.j, v.8.2.3c

Product under investigation

• Brocade Active Support Connectivity Gateway (ASC-G)

Products Confirmed Not Vulnerable

• Brocade Fabric OS versions after v9.0.0, v.8.2.3c, v7.4.2j

No other Brocade Fibre Channel Products from Broadcom products are known to be affected by this vulnerability.

Solution

Security update provided in Brocade Fabric OS: v8.2.3c, v8.2.0_CBN5, v7.4.2j, and all later versions.

Revision History