PT-2016-3309 · Openssl+10 · Openssl+12
Guido Vranken
·
Published
2016-05-03
·
Updated
2024-06-15
·
CVE-2016-2106
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions prior to 1.0.1t
OpenSSL versions prior to 1.0.2h
Description
The issue is related to an integer overflow in the EVP EncryptUpdate function, which can cause a denial of service due to heap memory corruption. This can be exploited by remote attackers by sending a large amount of data. The vulnerability is also associated with a lack of protection for service data in the AES-NI implementation, potentially allowing unauthorized access to confidential data. Additionally, it is described as a heap-based buffer overflow due to improper bounds checking, which could allow remote attackers to execute arbitrary code or cause the application to crash.
Recommendations
For OpenSSL versions prior to 1.0.1t, update to version 1.0.1t or later to resolve the issue.
For OpenSSL versions prior to 1.0.2h, update to version 1.0.2h or later to resolve the issue.
As a temporary workaround, consider restricting the amount of data that can be sent to the EVP EncryptUpdate function to prevent heap memory corruption.
Exploit
Fix
DoS
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Centos
Cisco Ios Xr
Cisco Nexus
Cisco Wls
Freebsd
Huawei Vrp
Ibm Aix
Junos
Openssl
Red Hat
Suse
Ubuntu