OpenSSL HollowByte Flaw Puts Servers at Risk of Memory Exhaustion
OpenSSL servers are vulnerable to a denial-of-service attack that can cause memory exhaustion with a malicious 11-byte TLS request payload. Apply the latest patch and monitor server memory usage.

OpenSSL servers are vulnerable to a denial-of-service attack that can cause memory exhaustion with a malicious 11-byte TLS request payload, dubbed HollowByte.
Understanding the HollowByte Flaw
The HollowByte flaw allows an unauthenticated attacker to trigger a denial-of-service condition on OpenSSL servers by sending a specially crafted 11-byte payload. This payload causes the server to allocate up to 131 KB of memory, which can lead to memory exhaustion and potentially cause the server to become unresponsive.
Technical Details
The HollowByte flaw is related to the way OpenSSL handles TLS requests. When an attacker sends an 11-byte payload, the server sets aside a large amount of memory to process the request, even though the request is never actually processed. This can cause the server to run out of memory, leading to a denial-of-service condition.
Who Is Affected
Any organization using OpenSSL servers is potentially affected by the HollowByte flaw. This includes a wide range of industries, such as finance, healthcare, and e-commerce.
What the Sceptics Say
Some experts argue that the HollowByte flaw is not a significant concern, as it has already been patched by OpenSSL. However, others point out that many organizations may not have applied the patch, and that the flaw could still be exploited by attackers.
How to Defend
- Apply the latest OpenSSL patch to prevent exploitation of the HollowByte flaw.
- Monitor server memory usage to detect potential denial-of-service attacks.
- Implement rate limiting and IP blocking to prevent attackers from sending multiple malicious requests.
Key Takeaways
- Security Teams: Apply the latest OpenSSL patch and monitor server memory usage to prevent exploitation of the HollowByte flaw.
- CISOs: Ensure that all OpenSSL servers are patched and that incident response plans are in place in case of a denial-of-service attack.
- Developers: Use secure coding practices to prevent similar vulnerabilities in custom applications.
- End Users: Be aware of the potential for denial-of-service attacks and report any suspicious activity to the relevant authorities.
Related Security Coverage
Sources
- The Hacker News: OpenSSL HollowByte Flaw Could Freeze Server Memory with 11-Byte TLS Requests
- BleepingComputer: HollowByte DDoS flaw bloats OpenSSL server memory with 11-byte payload
- Security Affairs: OpenSSL Fixes HollowByte Memory Exhaustion Bug
- GBHackers: OpenSSL DoS Vulnerability Lets Remote Attackers Exhaust Server Memory With an 11-Byte Payload
This article is published by AnalyticsGlobe for informational purposes only. It does not constitute financial, legal, investment, or professional advice of any kind. Always conduct your own research and consult qualified professionals before making any decisions.
James Whitfield
Published under the research and editorial standards of AnalyticsGlobe. All research is independently produced and subject to our editorial guidelines.