Risk | Low |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2016-6304 CVE-2016-6305 |
CWE-ID | CWE-400 CWE-120 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
OpenSSL Server applications / Encryption software |
Vendor | OpenSSL Software Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU819
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6304
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to insufficient validation of input length. By sending messages with excessive length attackers can cause resource exhaustion that leads to denial of service
Successful exploitation of the vulnerability allows a malicious user to trigger the vulnerable service to deny.
Update 1.1.0 to version 1.1.0a.
Update 1.0.2 to version 1.0.2i.
Update 1.0.1 to version 1.0.1u.
OpenSSL: 1.0.1 - 1.1.0
External linkshttp://www.openssl.org/news/secadv/20160922.txt
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU820
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-6305
CWE-ID:
CWE-120 - Buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated user to cause DoS conditions on the vulnerable system.
The weakness is due to flaw in handling of SSL/TLS protocol during a call to SSL_peek(). By sending an empty record attackers can trigger the affected service hang or deny.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.
Update 1.1.0 to version 1.1.0a.
OpenSSL: 1.1.0
External linkshttp://www.openssl.org/news/secadv/20160922.txt
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.