Kenny Root

**Name of the Vulnerable Software and Affected Versions** Conscrypt in Android versions 4.x through 4.4.3 Conscrypt in Android versions 5.0.x through 5.0.1 Conscrypt in Android versions 5.1.x through 5.1.0 Conscrypt in Android versions 6.x before 2016-08-05 **Description** The issue is related to the Conscrypt component in the Android operating system and involves improper identification of session reuse. This can be exploited by a remote attacker to execute arbitrary code. **Recommendations** For Android versions 4.x through 4.4.3, update to version 4.4.4 or later. For Android versions 5.0.x through 5.0.1, update to version 5.0.2 or later. For Android versions 5.1.x through 5.1.0, update to version 5.1.1 or later. For Android versions 6.x before 2016-08-05, update to a version released after 2016-08-05.

**Name of the Vulnerable Software and Affected Versions** Conscrypt in Android versions prior to 2016-05-01 **Description** The issue is related to the mishandling of updates of the Additional Authenticated Data (AAD) array in the OpenSSLCipher.java component of Conscrypt. This allows attackers to spoof message authentication. The vulnerability is also described as being related to insufficient access control, which can be exploited by a remote attacker to substitute authentication messages. **Recommendations** For Conscrypt in Android versions prior to 2016-05-01, update the Conscrypt component to a version released after 2016-05-01 to resolve the issue. As a temporary workaround, consider restricting access to the OpenSSLCipher.java component until a patch is available.