// For flags

CVE-2008-1678

httpd: mod_ssl per-connection memory leak for connections with zlib compression

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Memory leak in the zlib_stateful_init function in crypto/comp/c_zlib.c in libssl in OpenSSL 0.9.8f through 0.9.8h allows remote attackers to cause a denial of service (memory consumption) via multiple calls, as demonstrated by initial SSL client handshakes to the Apache HTTP Server mod_ssl that specify a compression algorithm.

Fuga de memoria en la Función zlib_stateful_init en crypto/comp/c_zlib.c en libssl en OpenSSL v0.9.8f a la 0.9.8h, permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de múltiples llamadas, como se ha demostrado mediante una negociación cliente SSL inicial al servidor HTTP Apache (mod_ssl) que especifica un algoritmo de compresión.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-04-03 CVE Reserved
  • 2008-07-10 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-08-07 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-399: Resource Management Errors
  • CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
References (33)
URL Tag Source
http://bugs.gentoo.org/show_bug.cgi?id=222643 X_refsource_confirm
http://secunia.com/advisories/31416 Third Party Advisory
http://secunia.com/advisories/32222 Third Party Advisory
http://secunia.com/advisories/34219 Third Party Advisory
http://secunia.com/advisories/35264 Third Party Advisory
http://secunia.com/advisories/38761 Third Party Advisory
http://secunia.com/advisories/42724 Third Party Advisory
http://secunia.com/advisories/42733 Third Party Advisory
http://secunia.com/advisories/44183 Third Party Advisory
http://securityreason.com/securityalert/3981 Third Party Advisory
http://support.apple.com/kb/HT3216 X_refsource_confirm
http://svn.apache.org/viewvc?view=rev&revision=654119 X_refsource_confirm
http://www.securityfocus.com/bid/31681 Vdb Entry
http://www.securityfocus.com/bid/31692 Vdb Entry
http://www.vupen.com/english/advisories/2008/2780 Vdb Entry
https://bugs.edge.launchpad.net/bugs/186339 X_refsource_confirm
https://exchange.xforce.ibmcloud.com/vulnerabilities/43948 Vdb Entry
https://issues.apache.org/bugzilla/show_bug.cgi?id=44975 X_refsource_confirm
https://kb.bluecoat.com/index?page=content&id=SA50 X_refsource_confirm
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9754 Signature
URL Date SRC
http://marc.info/?l=openssl-dev&m=121060672602371&w=2 2024-08-07
https://bugs.edge.launchpad.net/bugs/224945 2024-08-07
URL Date SRC
URL Date SRC
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html 2023-02-13
http://lists.opensuse.org/opensuse-security-announce/2008-11/msg00000.html 2023-02-13
http://secunia.com/advisories/31026 2023-02-13
http://security.gentoo.org/glsa/glsa-200807-06.xml 2023-02-13
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049 2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:124 2023-02-13
http://www.redhat.com/support/errata/RHSA-2009-1075.html 2023-02-13
http://www.ubuntu.com/usn/USN-731-1 2023-02-13
https://bugzilla.redhat.com/show_bug.cgi?id=447268 2009-05-27
https://www.redhat.com/archives/fedora-package-announce/2008-August/msg00055.html 2023-02-13
https://access.redhat.com/security/cve/CVE-2008-1678 2009-05-27
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 0.9.8f
Search vendor "Openssl" for product "Openssl" and version "0.9.8f"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 0.9.8g
Search vendor "Openssl" for product "Openssl" and version "0.9.8g"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 0.9.8h
Search vendor "Openssl" for product "Openssl" and version "0.9.8h"
-
Affected