Missing CRL sanity check in OpenSSL and Oracle VM VirtualBox - CVE-2016-7052
Published: September 26, 2016 / Updated: January 5, 2017
Vulnerability identifier: #VU660
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-7052
CWE-ID: CWE-476
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSL Software Foundation
Oracle
Oracle
Affected software:
OpenSSL
Oracle VM VirtualBox
OpenSSL
Oracle VM VirtualBox
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect implementation of CRL sanity check in version 1.0.2i. Any attempt to use CRLs results in null pointe exception and crashes the process.
How to mitigate CVE-2016-7052
Update to version 1.0.2j.