PT-2016-3419 · Openssl+12 · Openssl+16
Guido Vranken
·
Published
2016-06-19
·
Updated
2025-09-29
·
CVE-2016-2177
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions 1.0.0 through 1.0.2h
OpenSSL (affected versions not specified)
Description
The issue is caused by an integer overflow, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging unexpected malloc behavior. This is related to incorrect pointer arithmetic for heap-buffer boundary checks in files such as s3 srvr.c, ssl sess.c, and t1 lib.c. The vulnerability could also be exploited to cause the application to crash by attempting to use CRLs due to a missing CRL sanity check.
Recommendations
For OpenSSL versions 1.0.0 through 1.0.2h, update to a version later than 1.0.2h to resolve the issue.
At the moment, there is no information about a newer version that contains a fix for this vulnerability for other affected versions.
Exploit
Fix
DoS
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Centos
Cisco Asa
Cisco Ios Xe
Cisco Ios Xr
Cisco Nexus
Cisco Wls
Fortios
Freebsd
Huawei Vrp
Ibm Aix
Junos
Nessus
Openssl
Red Hat
Suse
Ubuntu