#VU641 Excessive memory allocation in Apple Inc. products - CVE-2016-2109


| Updated: 2017-01-13

Vulnerability identifier: #VU641

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-2109

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software
Oracle Solaris
Operating systems & Components / Operating system
Oracle Linux
Operating systems & Components / Operating system
macOS
Operating systems & Components / Operating system
Oracle Access Manager
Server applications / Directory software, identity management
Oracle Exalogic Infrastructure
Server applications / Remote management servers, RDP, SSH
Oracle Enterprise Manager Ops Center
Server applications / Remote management servers, RDP, SSH
PeopleSoft Enterprise PeopleTools
Client/Desktop applications / Office applications
Oracle VM VirtualBox
Server applications / Virtualization software
Oracle E-Business Suite
Web applications / E-Commerce systems
Oracle Commerce Guided Search
Web applications / E-Commerce systems
Oracle Agile Engineering Data Management
Other software / Other software solutions
Oracle Life Sciences Data Hub
Other software / Other software solutions
Oracle VM Server for x86
Server applications / Other server solutions

Vendor: OpenSSL Software Foundation
Oracle
Apple Inc.

Description
The vulnerability allows a remote user to cause excessive memory allocation on the target system.

The weakness exists during reading ASN.1 data by d2i_CMS_bio() function. A short invalid encoding leads to distribution of large amounts of memory for excessive resources or exhausting memory.

Successful exploitation of the vulnerability may result in excessive memory allocation.

Mitigation
Update 1.0.1 to 1.01t.
Update 1.0.2. to 1.0.2h.

Vulnerable software versions

OpenSSL: 1.0.1, 1.0.2

Oracle Solaris: 10 - 11.3

Oracle Access Manager: 10.1.4.2 - 11.1.1.7

Oracle Exalogic Infrastructure: 1.0 - 2.0

PeopleSoft Enterprise PeopleTools: 8.53 - 8.55

Oracle VM VirtualBox: 5.0.20

Oracle Enterprise Manager Ops Center: 12.1.4 - 12.3.2

Oracle E-Business Suite: 12.1.3

Oracle Agile Engineering Data Management: 6.1.3.0 - 6.2.0.0

Oracle Commerce Guided Search: 6.2.2 - 6.5.2

Oracle Life Sciences Data Hub: 2.1

Oracle VM Server for x86: 3.2

Oracle Linux: 5 - 7

macOS: 10.11 - 10.11.5

External links
https://www.openssl.org/news/secadv/20160503.txt
https://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
https://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
https://support.apple.com/cs-cz/HT206903

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell Networker
Multiple vulnerabilities in IBM Integrated Management Module II
Multiple vulnerabilities in Multiple N series Products
Excessive memory allocation in openssl (Alpine package)
SUSE Linux update for openssl
SUSE Linux update for openssl
OpenSUSE Linux update for compat-openssl098
OpenSUSE Linux update for openssl
OpenSUSE Linux update for libopenssl0_9_8
Excessive memory allocation in OpenSSL