#VU819 Denial of service in OpenSSL - CVE-2016-6304


Vulnerability identifier: #VU819

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-6304

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description
The vulnerability allows a remote unauthenticated user to cause DoS conditions on the target system.
The weakness is due to insufficient validation of input length. By sending messages with excessive length attackers can cause resource exhaustion that leads to denial of service
Successful exploitation of the vulnerability allows a malicious user to trigger the vulnerable service to deny.

Mitigation
Update 1.1.0 to version 1.1.0a.
Update 1.0.2 to version 1.0.2i.
Update 1.0.1 to version 1.0.1u.

Vulnerable software versions

OpenSSL: 1.0.1, 1.0.2, 1.1.0

External links
https://www.openssl.org/news/secadv/20160922.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for OpenSSL
Red Hat Enterprise Linux 6 update for openssl
Fedora EPEL 5 update for openssl101e
Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7 update for openssl
Fedora 25 update for openssl
Fedora 23 update for openssl
Fedora 24 update for openssl
Arch Linux update for lib32-openssl
Arch Linux update for openssl
Slackware Linux update for openssl