#VU646 Denial of service

Published: 2016-09-23

Vulnerability identifier: #VU646

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6304


Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

The vulnerability allows a remote authenticated user to cause denail of service on the target system.
The weakness exists due to resource error. By repeated request renegotiation and sending specially crafted OCSP Status Request extension attackers can cause excessive memory spending on the target system.
Successful exploitation of the vulnerability leads to denial of service on the vulnerable system.

Update 1.0.1 to 1.0.1u.
Update 1.0.2 to 1.0.2i.
Update 1.1.0 to 1.1.0a.

Vulnerable software versions



External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability