Main Vulnerability Database Vulnerabilities #VU5892

#VU5892 Heap overflow in OpenSSL - CVE-2016-7054

Published: February 23, 2017 / Updated: September 14, 2018

Vulnerability identifier: #VU5892

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

CVE-ID: CVE-2016-7054

CWE-ID: CWE-122

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
OpenSSL

Software vendor:
OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform denial of service (Dos) attack.

The vulnerability exists due to a boundary error when processing *-CHACHA20-POLY1305 TLS ciphersuites (ChaCha20/Poly1305) in OpenSSL. A remote attacker can send large payloads to affected service, triggering heap overflow.

Successful exploitation of the vulnerability may result in denial of service (DoS) conditions.

Remediation

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.1.0

External links

https://www.openssl.org/news/secadv/20161110.txt

#VU5892 Heap overflow in OpenSSL - CVE-2016-7054

Description

Remediation

External links

Please verify you're human