OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests — [https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk66eU1Srifu4Rdpf7M
What’s new: A flaw in OpenSSL, named HollowByte, allows attackers to freeze server memory with 11-byte TLS requests. This issue affects versions prior to the June 9, 2023, releases (OpenSSL 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21). The flaw can lead to denial-of-service conditions as it causes memory to remain allocated even after the connection is dropped, potentially exhausting server resources.
Who’s affected
All OpenSSL servers running versions prior to the fixed releases are vulnerable, particularly those using glibc systems. The flaw can lead to significant memory fragmentation and exhaustion, impacting server performance and availability.
What to do
- Upgrade to OpenSSL versions 4.0.1, 3.6.3, 3.5.7, 3.4.6, or 3.0.21 released on June 9, 2023.
- Restart any services using the old OpenSSL version after upgrading.
- Check with your package maintainer to ensure the patch is applied if using a backported version.



