Denial of service in OpenSSL - CVE-2016-6305
Published: October 10, 2016 / Updated: April 17, 2018
Vulnerability identifier: #VU820
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6305
CWE-ID: CWE-120
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSL Software Foundation
Affected software:
OpenSSL
OpenSSL
Detailed vulnerability description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the vulnerable system.
The weakness is due to flaw in handling of SSL/TLS protocol during a call to SSL_peek(). By sending an empty record attackers can trigger the affected service hang or deny.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.
The weakness is due to flaw in handling of SSL/TLS protocol during a call to SSL_peek(). By sending an empty record attackers can trigger the affected service hang or deny.
Successful exploitation of the vulnerability will result in denial of service on the vulnerable system.
How to mitigate CVE-2016-6305
Update 1.1.0 to version 1.1.0a.