PT-2016-1334 · Openssl+7 · Openssl+7

Emilia Kã¤Sper

·

Publicado

2016-03-01

·

Atualizado

2024-06-15

·

CVE-2016-0798

CVSS v2.0

7.8

Alta

VetorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.1 through 1.0.1s OpenSSL versions 1.0.2 through 1.0.2g
Description The issue is related to errors in resource management in the SRP VBASE get by user function implementation in OpenSSL. It allows a remote attacker to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt. This can lead to a memory leak, potentially causing the service to become unresponsive. Additionally, there is a mention of a side-channel attack that could lead to the recovery of RSA keys, but details are not provided.
Recommendations For OpenSSL versions 1.0.1 through 1.0.1s, update to version 1.0.1s or later to resolve the issue. For OpenSSL versions 1.0.2 through 1.0.2g, update to version 1.0.2g or later to resolve the issue. As a temporary workaround, consider restricting access to the SRP VBASE get by user function to minimize the risk of exploitation.

Correção

DoS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-399

Identificadores relacionados

ALT-PU-2016-1184
BDU:2016-00633
CVE-2016-0798
DSA-3500-1
MGASA-2016-0093
OPENSUSE-SU-2016_0627-1
OPENSUSE-SU-2016_0628-1
OPENSUSE-SU-2024:10271-1
OPENSUSE-SU-2024:10529-1
OPENSUSE-SU-2024:11127-1
SUSE-FU-2022:0445-1
SUSE-SU-2016:0617-1
SUSE-SU-2016:0620-1
SUSE-SU-2016:0621-1
SUSE-SU-2016:0748-1
SUSE-SU-2016:0786-1
USN-2914-1

Produtos afetados

Alt Linux
Cisco Nexus
Freebsd
Ibm Aix
Junos
Openssl
Suse
Ubuntu