FortiClient Vulnerability

OpenSSL CVE-2015-0290 Request Smuggling Vulnerability

Description

Severity: ModerateOpenSSL 1.0.2 introduced the "multiblock" performance improvement. This featureonly applies on 64 bit x86 architecture platforms that support AES NIinstructions. A defect in the implementation of "multiblock" can cause OpenSSL'sinternal write buffer to become incorrectly set to NULL when using non-blockingIO. Typically, when the user application is using a socket BIO for writing, thiswill only result in a failed connection. However if some other BIO is used thenit is likely that a segmentation fault will be triggered, thus enabling apotential DoS attack.This issue affects OpenSSL version: 1.0.2OpenSSL 1.0.2 users should upgrade to 1.0.2a.This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner andRainer Mueller. The fix was developed by Matt Caswell of the OpenSSL developmentteam.