CVE-2008-1678Missing Release of Memory after Effective Lifetime in Openssl

CWE-399CWE-401Missing Release of Memory after Effective Lifetime14 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
9.0%
top 7.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
OpensslDebian Apache2Debian Openssl+1 more
Timeline
PublishedJul 10
Latest updateDec 29

Description

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

debiandebian/apache2< apache2 2.2.8-4 (bookworm)
debiandebian/openssl< openssl 0.9.8k-8 (bookworm)
Debianopenssl/openssl< 0.9.8k-8+3
NVDopenssl/openssl0.9.8l+48
NVDredhat/openssl0.9.6-15, 0.9.6b-3, 0.9.7a-2+2

🔴Vulnerability Details

4
GHSA
GHSA-cg3r-vf2p-3f9h: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib2022-05-02
GHSA
GHSA-xwx3-pfr8-5rp4: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib2022-05-01
OSV
CVE-2009-4355: Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib2010-01-14
OSV
CVE-2008-1678: Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib2008-07-10

📋Vendor Advisories

5
Red Hat
openssl significant memory leak in certain SSLv3 requests (DoS)2010-01-13
Ubuntu
Apache vulnerabilities2009-03-10
Debian
CVE-2009-4355: openssl - Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in Open...2009
Red Hat
httpd: mod_ssl per-connection memory leak for connections with zlib compression2008-04-30
Debian
CVE-2008-1678: apache2 - Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl...2008

📄Research Papers

1
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware2022-12-29

💬Community

2
Bugzilla
CVE-2009-4355 openssl significant memory leak in certain SSLv3 requests (DoS)2009-12-11
Bugzilla
CVE-2008-1678 httpd: mod_ssl per-connection memory leak for connections with zlib compression2008-05-19