Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-0798

Опубликовано: 25 фев. 2016
Источник: redhat
CVSS2: 4.3

Описание

Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.

A memory leak flaw was found in the way OpenSSL performed SRP user database look-ups using the SRP_VBASE_get_by_user() function. A remote attacker connecting to certain SRP servers with an invalid user name could leak approximately 300 bytes of the server's memory per connection.

Отчет

This issue does not affect the version of OpenSSL shipped with Red Hat Enterprise Linux 5, 6 and 7, since these packages are compiled without SRP support.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5opensslNot affected
Red Hat Enterprise Linux 5openssl097aNot affected
Red Hat Enterprise Linux 6opensslNot affected
Red Hat Enterprise Linux 6openssl098eNot affected
Red Hat Enterprise Linux 7opensslNot affected
Red Hat Enterprise Linux 7openssl098eNot affected
Red Hat Enterprise Virtualization 3rhev-hypervisorNot affected
Red Hat JBoss Enterprise Web Server 2opensslNot affected
Red Hat JBoss Enterprise Web Server 3opensslNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Low
https://bugzilla.redhat.com/show_bug.cgi?id=1311876OpenSSL: Avoid memory leak in SRP

4.3 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-0798

CVSS3: 7.5
ubuntu
почти 10 лет назад

Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.

nvd логотип

CVE-2016-0798

CVSS3: 7.5
nvd
почти 10 лет назад

Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.

debian логотип

CVE-2016-0798

CVSS3: 7.5
debian
почти 10 лет назад

Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0 ...

github логотип

GHSA-8wvj-cwfq-pc44

CVSS3: 7.5
github
больше 3 лет назад

Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c.

fstec логотип

BDU:2016-00633

fstec
почти 10 лет назад

Уязвимость библиотеки OpenSSL, позволяющая нарушителю вызвать отказ в обслуживании

4.3 Medium

CVSS2