Main Vulnerability Database Vulnerabilities #VU661

Use after free error in OpenSSL and Oracle VM VirtualBox - CVE-2016-6309

Published: September 26, 2016 / Updated: January 5, 2017

Vulnerability identifier: #VU661

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-6309

CWE-ID: CWE-416

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenSSL Software Foundation
Oracle

Affected software:
OpenSSL
Oracle VM VirtualBox

Detailed vulnerability description

A remote attacker can execute arbitrary code on the target system.

The vulnerability exists due to incorrect implementation of patch for vulnerability CVE-2016-6307. A remote attacker can send a specially crafted message larger than 16 kilobytes and reallocated the buffer, intended to store the message, and then use the dangling pointer to control execution flaw.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on the target system.

How to mitigate CVE-2016-6309

Update to version 1.1.0b.

Sources

https://www.openssl.org/news/secadv/20160926.txt

Use after free error in OpenSSL and Oracle VM VirtualBox - CVE-2016-6309

Detailed vulnerability description

How to mitigate CVE-2016-6309

Sources

Please verify you're human