#VU660 Missing CRL sanity check in OpenSSL and Oracle VM VirtualBox - CVE-2016-7052
Published: September 26, 2016 / Updated: January 5, 2017
Vulnerability identifier: #VU660
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-7052
CWE-ID: CWE-476
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenSSL
Oracle VM VirtualBox
OpenSSL
Oracle VM VirtualBox
Software vendor:
OpenSSL Software Foundation
Oracle
OpenSSL Software Foundation
Oracle
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect implementation of CRL sanity check in version 1.0.2i. Any attempt to use CRLs results in null pointe exception and crashes the process.
Remediation
Update to version 1.0.2j.