Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU641
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-2109
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote user to cause excessive memory allocation on the target system.
The weakness exists during reading ASN.1 data by d2i_CMS_bio() function. A short invalid encoding leads to distribution of large amounts of memory for excessive resources or exhausting memory.
Successful exploitation of the vulnerability may result in excessive memory allocation.
Update 1.0.1 to 1.01t.
Update 1.0.2. to 1.0.2h.
OpenSSL: 1.0.1 - 1.0.2
Oracle Solaris: 10 - 11.3
Oracle Access Manager: 10.1.4.2 - 11.1.1.7
Oracle Exalogic Infrastructure: 1.0 - 2.0
PeopleSoft Enterprise PeopleTools: 8.53 - 8.55
Oracle VM VirtualBox: 5.0.20
Oracle Enterprise Manager Ops Center: 12.1.4 - 12.3.2
Oracle E-Business Suite: 12.1.3
Oracle Agile Engineering Data Management: 6.1.3.0 - 6.2.0.0
Oracle Commerce Guided Search: 6.2.2 - 6.5.2
Oracle Life Sciences Data Hub: 2.1
Oracle VM Server for x86: 3.2
Oracle Linux: 5 - 7
macOS: 10.11 - 10.11.5
External linkshttp://www.openssl.org/news/secadv/20160503.txt
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://support.apple.com/cs-cz/HT206903
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.