Main Vulnerability Database Vulnerabilities #VU5893

#VU5893 NULL pointer dereference in OpenSSL - CVE-2016-7053

Published: February 23, 2017

Vulnerability identifier: #VU5893

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-7053

CWE-ID: CWE-476

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenSSL

Software vendor:
OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to perform denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference error when parsing ASN.1 CHOICE type within CMS structures in OpenSSL. A remote attacker can send a specially crafted request to vulnerable service and initiate the NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings.

Successful exploitation may result in denial of service (DoS) attack.

Remediation

OpenSSL 1.1.0 users should upgrade to 1.1.0c

This issue does not affect OpenSSL versions prior to 1.1.0

External links

https://www.openssl.org/news/secadv/20161110.txt

#VU5893 NULL pointer dereference in OpenSSL - CVE-2016-7053

Description

Remediation

External links

Please verify you're human