Published: Tuesday, July 25th, 2017
Last Update: Tuesday, July 25th, 2017
A Denial-of-Service (DoS) flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. Accordingly, the following vulnerabilities are addressed in this document that may affect the TLS/SSL data-plane of ACOS devices.
||SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS [1, 2, 3]
The table below indicates releases of ACOS exposed to these vulnerabilities and ACOS releases that address these issues or are otherwise unaffected by them.
Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.
||Releases Resolved or Unaffected
|4.1.0 – 4.1.0-P7
|2.7.2 – 2.7.2-P9
|2.7.1-GR1 – 2.7.1-GR1-P2
|2.6.1-GR1 – 2.6.1-GR1-P16
||2.7.1-GR1-P3, 2.7.2-P10, 4.1.0-P8, 4.1.1-P1
Releases Resolved or Unaffected
Workarounds and Mitigations
Exposure to this vulnerability can be mitigated by configuring firewalls to limit the number of connections per IP address, or use deep packet inspection to reject this type of alert packets.