The vulnerability affects OpenSSL’s BN_mod_sqrt() function, which can get stuck in an infinite loop if used when parsing specially crafted public certificates or private keys. Such a certificate or key contains invalid explicit curve parameters which cause the function to loop and stop working. Any process that parses an externally supplied certificate or key could be made to consume such a specially crafted malicious payload, and may thus be subject to a denial of service attack.
The vulnerability was discovered by Google’s security researcher Tavis Ormandy. He reported his findings to the OpenSSL team on February 24, 2022.
Loadbalancer.org customers using common configurations are not affected by this vulnerability. Customers with manually configured, custom client authentication deployments (rare) or using “re-encrypt to backend” to communicate with untrusted third-party servers (very rare) may be impacted.
Because of the low risk, we will not be issuing an immediate security update to the product. OpenSSL will be upgraded to 1.1.1n in our upcoming 8.6.3 release. If you are concerned or need a hotfix, don’t hesitate to contact support to discuss.