SB2016092205 - Amazon Linux AMI update for openssl
Published: September 22, 2016 Updated: October 6, 2022
Security Bulletin ID
SB2016092205
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2016-6304)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper resource management in OCSP stapling implementation in OpenSSL. A remote attacker can multiple requests with a large OCSP Status Request extension and consume all available memory on the system.
2) Denial of service (CVE-ID: CVE-2016-6305)
The vulnerability allows a remote authenticated user to trigger denial of service on the target system.The weakness exists due to state error. By sendidng specially crafted files attackers can cause a flaw in SSL_peek() that may lead to the affected service hanging.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.
Remediation
Install update from vendor's website.