#VU646 Denial of service


Published: 2016-09-23

Vulnerability identifier: #VU646

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-6304

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description
The vulnerability allows a remote authenticated user to cause denail of service on the target system.
The weakness exists due to resource error. By repeated request renegotiation and sending specially crafted OCSP Status Request extension attackers can cause excessive memory spending on the target system.
Successful exploitation of the vulnerability leads to denial of service on the vulnerable system.

Mitigation
Update 1.0.1 to 1.0.1u.
Update 1.0.2 to 1.0.2i.
Update 1.1.0 to 1.1.0a.

Vulnerable software versions

:


CPE

External links
http://www.openssl.org/news/secadv/20160922.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability