PT-2016-1843 · Openssl+9 · Openssl+12
David Benjamin
+2
·
Publicado
2016-05-03
·
Atualizado
2025-09-25
·
CVE-2016-2108
CVSS v3.1
10
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions prior to 1.0.1o
OpenSSL versions prior to 1.0.2c
Description
The issue is caused by a buffer overflow in the ASN.1 implementation, allowing remote attackers to execute arbitrary code or cause a denial of service via a crafted ANY field in serialized data. This can lead to memory corruption. The vulnerability is related to the misinterpretation of large universal tags as negative zero values in ANY structures.
Recommendations
For versions prior to 1.0.1o, update to version 1.0.1o or later.
For versions prior to 1.0.2c, update to version 1.0.2c or later.
As a temporary workaround, consider restricting the use of the
d2i ASN1 TYPE function until a patch is available.
Avoid deserializing untrusted ASN.1 structures containing an ANY field to minimize the risk of exploitation.Exploit
Correção
RCE
DoS
Buffer Overflow
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Centos
Cisco Asa
Cisco Ios Xr
Cisco Nexus
Cisco Wls
Huawei Vrp
Ibm Aix
Junos
Openssl
Red Hat
Suse
Ubuntu