Excessive memory allocation in OpenSSL
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-2109 |
| CWE-ID | CWE-119 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
OpenSSL Server applications / Encryption software Oracle Solaris Operating systems & Components / Operating system Oracle Linux Operating systems & Components / Operating system macOS Operating systems & Components / Operating system Oracle Access Manager Server applications / Directory software, identity management Oracle Exalogic Infrastructure Server applications / Remote management servers, RDP, SSH Oracle Enterprise Manager Ops Center Server applications / Remote management servers, RDP, SSH PeopleSoft Enterprise PeopleTools Client/Desktop applications / Office applications Oracle VM VirtualBox Server applications / Virtualization software Oracle E-Business Suite Web applications / E-Commerce systems Oracle Commerce Guided Search Web applications / E-Commerce systems Oracle Agile Engineering Data Management Other software / Other software solutions Oracle Life Sciences Data Hub Other software / Other software solutions Oracle VM Server for x86 Server applications / Other server solutions |
| Vendor |
OpenSSL Software Foundation Oracle Apple Inc. |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Excessive memory allocation
EUVDB-ID: #VU641
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-2109
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote user to cause excessive memory allocation on the target system.
The weakness exists during reading ASN.1 data by d2i_CMS_bio() function. A short invalid encoding leads to distribution of large amounts of memory for excessive resources or exhausting memory.
Successful exploitation of the vulnerability may result in excessive memory allocation.
Update 1.0.1 to 1.01t.
Update 1.0.2. to 1.0.2h.
OpenSSL: 1.0.1 - 1.0.2
Oracle Solaris: 10 - 11.3
Oracle Access Manager: 10.1.4.2 - 11.1.1.7
Oracle Exalogic Infrastructure: 1.0 - 2.0
PeopleSoft Enterprise PeopleTools: 8.53 - 8.55
Oracle VM VirtualBox: 5.0.20
Oracle Enterprise Manager Ops Center: 12.1.4 - 12.3.2
Oracle E-Business Suite: 12.1.3
Oracle Agile Engineering Data Management: 6.1.3.0 - 6.2.0.0
Oracle Commerce Guided Search: 6.2.2 - 6.5.2
Oracle Life Sciences Data Hub: 2.1
Oracle VM Server for x86: 3.2
Oracle Linux: 5 - 7
macOS: 10.11 - 10.11.5
CPE2.3- cpe:2.3:a:openssl_software_foundation:openssl:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:openssl_software_foundation:openssl:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_access_manager:10.1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_access_manager:10.1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_access_manager:11.1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_exalogic_infrastructure:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_exalogic_infrastructure:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.53:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:vm_virtualbox:5.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_e-business_suite:12.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_agile_engineering_data_management:6.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_commerce_guided_search:6.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_life_sciences_data_hub:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_vm_server_for_x86:3.2:*:*:*:*:*:*:*
- cpe:2.3:o:oracle:oracle_linux:5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:macos:10.11.5:*:*:*:*:*:*:*
https://www.openssl.org/news/secadv/20160503.txt
https://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
https://support.apple.com/cs-cz/HT206903
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
