Main Vulnerability Database Vulnerabilities #VU5893

NULL pointer dereference in OpenSSL - CVE-2016-7053

Published: February 23, 2017

Vulnerability identifier: #VU5893

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-7053

CWE-ID: CWE-476

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenSSL Software Foundation

Affected software:
OpenSSL

Detailed vulnerability description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference error when parsing ASN.1 CHOICE type within CMS structures in OpenSSL. A remote attacker can send a specially crafted request to vulnerable service and initiate the NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings.

Successful exploitation may result in denial of service (DoS) attack.

How to mitigate CVE-2016-7053

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.1.0

Sources

https://www.openssl.org/news/secadv/20161110.txt

NULL pointer dereference in OpenSSL - CVE-2016-7053

Detailed vulnerability description

How to mitigate CVE-2016-7053

Sources

Please verify you're human