Denial of service in Oracle products - CVE-2016-6306
Published: October 10, 2016 / Updated: April 26, 2017
Vulnerability identifier: #VU816
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6306
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSL Software Foundation
Oracle
Oracle
Affected software:
OpenSSL
Oracle Solaris
Oracle Linux
Oracle VM VirtualBox
Oracle VM Server for x86
OpenSSL
Oracle Solaris
Oracle Linux
Oracle VM VirtualBox
Oracle VM Server for x86
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakess exists due insufficient length validation of certain TLS/SSL protocol handshake messages. By causing out-of-bounds read error attackers can trigger the affected service deny.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.
The weakess exists due insufficient length validation of certain TLS/SSL protocol handshake messages. By causing out-of-bounds read error attackers can trigger the affected service deny.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.
How to mitigate CVE-2016-6306
Update 1.0.1 to version 1.0.1i.
Update 1.0.2 to version 1.0.2u.
Update 1.0.2 to version 1.0.2u.
Sources
- https://www.openssl.org/news/secadv/20160922.txt
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html