CVE-2016-2462

Name of the Vulnerable Software and Affected Versions Conscrypt in Android versions prior to 2016-05-01

Description The issue is related to the mishandling of updates of the Additional Authenticated Data (AAD) array in the OpenSSLCipher.java component of Conscrypt. This allows attackers to spoof message authentication. The vulnerability is also described as being related to insufficient access control, which can be exploited by a remote attacker to substitute authentication messages.

Recommendations For Conscrypt in Android versions prior to 2016-05-01, update the Conscrypt component to a version released after 2016-05-01 to resolve the issue. As a temporary workaround, consider restricting access to the OpenSSLCipher.java component until a patch is available.