Heap overflow in openssl (Alpine package)



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-2105
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
 openssl (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Heap overflow

EUVDB-ID: #VU640

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-2105

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote user to cause heap overflow on the target system.

The weakness is caused by insufficient input validation. By sending a great deal of input data attackers are able to cause overflow of the EVP_EncodeUpdate() function used for binary data encoding.

Successful exploitation of the vulnerability may result in heap overflow on the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

openssl (Alpine package): 1.0.1c-r0 - 1.0.2h-r2

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=033f9730873ed7526ced21e72ba16a2937bab220
https://git.alpinelinux.org/aports/commit/?id=c5a3b0b6d1ecd85d52e16f330be9478aca853348
https://git.alpinelinux.org/aports/commit/?id=346532027d2b8b8d5cac13a2b7d86820dfaf34b7
https://git.alpinelinux.org/aports/commit/?id=6ea715958d6486933e7cc3ca163e3d0691c9629d
https://git.alpinelinux.org/aports/commit/?id=70b8770d37d514044077c7258c0e6e81aeeee5fe
https://git.alpinelinux.org/aports/commit/?id=7b3b75b5c977b3a6fa91c6a48349d55fc7e31663


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###