Excessive memory allocation in Apple Inc. products - CVE-2016-2109

Vulnerability identifier: #VU641

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-2109

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenSSL
Oracle Solaris
Oracle Linux
macOS
Oracle Access Manager
Oracle Exalogic Infrastructure
Oracle Enterprise Manager Ops Center
PeopleSoft Enterprise PeopleTools
Oracle VM VirtualBox
Oracle E-Business Suite
Oracle Commerce Guided Search
Oracle Agile Engineering Data Management
Oracle Life Sciences Data Hub
Oracle VM Server for x86

Software vendor:
OpenSSL Software Foundation
Oracle
Apple Inc.

The vulnerability allows a remote user to cause excessive memory allocation on the target system.

The weakness exists during reading ASN.1 data by d2i_CMS_bio() function. A short invalid encoding leads to distribution of large amounts of memory for excessive resources or exhausting memory.

Successful exploitation of the vulnerability may result in excessive memory allocation.

Update 1.0.1 to 1.01t.
Update 1.0.2. to 1.0.2h.

• https://www.openssl.org/news/secadv/20160503.txt
• http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
• http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
• http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
• http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
• http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
• https://support.apple.com/cs-cz/HT206903