Denial of service in OpenSSL



Published: 2016-09-26 | Updated: 2017-01-05
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-6308
CWE-ID CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
OpenSSL
Server applications / Encryption software

Oracle VM VirtualBox
Server applications / Virtualization software

Vendor OpenSSL Software Foundation
Oracle

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Denial of service

EUVDB-ID: #VU818

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6308

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to insufficient validation of input length. By sending messages with excessive length attackers can cause resource exhaustion that leads to denial of service.
Successful exploitation of the vulnerability will allow a malicious user to trigger the vulnerable service to deny.

Mitigation

Update 1.1.0 to version 1.1.0a.

Vulnerable software versions

OpenSSL: 1.1.0

Oracle VM VirtualBox: 5.0.27 - 5.1.7

External links

http://www.openssl.org/news/secadv/20160922.txt
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###