Out-of-bounds memory read in openssl (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-2180 |
| CWE-ID | CWE-125 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
openssl (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Out-of-bounds read
EUVDB-ID: #VU308
Risk: Medium
CVSSv3.1: 3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:W/RC:C]
CVE-ID: CVE-2016-2180
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the TS_OBJ_print_bio() function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL. A remote attacker can perform a denial of service (DoS) attack via a crafted time-stamp file that is mishandled by the "openssl ts" command.
MitigationInstall update from vendor's website.
Vulnerable software versionsopenssl (Alpine package): 1.0.1t-r1
External linkshttp://git.alpinelinux.org/aports/commit/?id=a879e6eaf315a19b45fd424f12f9bf072b168946
http://git.alpinelinux.org/aports/commit/?id=be71850614d4346dc7cd2243591ca908f4475a1d
http://git.alpinelinux.org/aports/commit/?id=8746cdf19bfe0283af734bf672d1c69b6e4d93b3
http://git.alpinelinux.org/aports/commit/?id=b4ea58d763919cb6dec1f4fb4a0bb51378861172
http://git.alpinelinux.org/aports/commit/?id=ecfc04f3961ec4ffa2c972bd72253ba1a03a3c1e
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
