Denial of service in OpenSSL and Oracle VM VirtualBox - CVE-2016-6303
Published: October 10, 2016 / Updated: January 5, 2017
Vulnerability identifier: #VU815
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6303
CWE-ID: CWE-122
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSL Software Foundation
Oracle
Oracle
Affected software:
OpenSSL
Oracle VM VirtualBox
OpenSSL
Oracle VM VirtualBox
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the vulnerable system.
The weakness is caused by integer overflow in the MDC2_Update() function in 'crypto/mdc2/mdc2dgst.c'. By using large ammounts of input data attackers are able to trigger error in input length validation that leads to crash of the affected service.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.
The weakness is caused by integer overflow in the MDC2_Update() function in 'crypto/mdc2/mdc2dgst.c'. By using large ammounts of input data attackers are able to trigger error in input length validation that leads to crash of the affected service.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.
How to mitigate CVE-2016-6303
Update 1.0.2 to version 1.0.2i.
Update 1.0.1 to version 1.0.1u.
Update 1.0.1 to version 1.0.1u.