Excessive memory allocation in OpenSSL



Published: 2016-05-05 | Updated: 2017-01-13
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-2109
CWE-ID CWE-119
CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		OpenSSL
Server applications / Encryption software

Oracle Solaris
Operating systems & Components / Operating system

Oracle Linux
Operating systems & Components / Operating system

macOS
Operating systems & Components / Operating system

Oracle Access Manager
Server applications / Directory software, identity management

Oracle Exalogic Infrastructure
Server applications / Remote management servers, RDP, SSH

Oracle Enterprise Manager Ops Center
Server applications / Remote management servers, RDP, SSH

PeopleSoft Enterprise PeopleTools
Client/Desktop applications / Office applications

Oracle VM VirtualBox
Server applications / Virtualization software

Oracle E-Business Suite
Web applications / E-Commerce systems

Oracle Commerce Guided Search
Web applications / E-Commerce systems

Oracle Agile Engineering Data Management
Other software / Other software solutions

Oracle Life Sciences Data Hub
Other software / Other software solutions

Oracle VM Server for x86
Server applications / Other server solutions

Vendor OpenSSL Software Foundation
Oracle
Apple Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Excessive memory allocation

EUVDB-ID: #VU641

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-2109

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote user to cause excessive memory allocation on the target system.

The weakness exists during reading ASN.1 data by d2i_CMS_bio() function. A short invalid encoding leads to distribution of large amounts of memory for excessive resources or exhausting memory.

Successful exploitation of the vulnerability may result in excessive memory allocation.

Mitigation

Update 1.0.1 to 1.01t.
Update 1.0.2. to 1.0.2h.

Vulnerable software versions

OpenSSL: 1.0.1 - 1.0.2

Oracle Solaris: 10 - 11.3

Oracle Access Manager: 10.1.4.2 - 11.1.1.7

Oracle Exalogic Infrastructure: 1.0 - 2.0

PeopleSoft Enterprise PeopleTools: 8.53 - 8.55

Oracle VM VirtualBox: 5.0.20

Oracle Enterprise Manager Ops Center: 12.1.4 - 12.3.2

Oracle E-Business Suite: 12.1.3

Oracle Agile Engineering Data Management: 6.1.3.0 - 6.2.0.0

Oracle Commerce Guided Search: 6.2.2 - 6.5.2

Oracle Life Sciences Data Hub: 2.1

Oracle VM Server for x86: 3.2

Oracle Linux: 5 - 7

macOS: 10.11 - 10.11.5

External links

http://www.openssl.org/news/secadv/20160503.txt
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
http://support.apple.com/cs-cz/HT206903


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###