Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-2108

Опубликовано: 03 мая 2016
Источник: redhat
CVSS3: 5.6
CVSS2: 5.1
EPSS Средний

Описание

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 4opensslWill not fix
Red Hat Enterprise Linux 4openssl096bWill not fix
Red Hat Enterprise Linux 5openssl097aWill not fix
Red Hat Enterprise Linux 6openssl098eWill not fix
Red Hat Enterprise Linux 7openssl098eWill not fix
Red Hat JBoss Enterprise Application Platform 5opensslNot affected
Red Hat JBoss Enterprise Web Server 2opensslNot affected
Red Hat JBoss Enterprise Web Server 3opensslFix deferred
JBoss Core Services on RHEL 6jbcs-httpd24-httpdFixedRHSA-2017:019325.01.2017
JBoss Core Services on RHEL 6jbcs-httpd24-mod_auth_kerbFixedRHSA-2017:019325.01.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-787
https://bugzilla.redhat.com/show_bug.cgi?id=1331402openssl: Memory corruption in the ASN.1 encoder

EPSS

Процентиль: 98%
0.54206
Средний

5.6 Medium

CVSS3

5.1 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2016-2108

CVSS3: 9.8
ubuntu
около 9 лет назад

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

nvd логотип

CVE-2016-2108

CVSS3: 9.8
nvd
около 9 лет назад

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

debian логотип

CVE-2016-2108

CVSS3: 9.8
debian
около 9 лет назад

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0 ...

github логотип

GHSA-cf8v-cq93-65gh

CVSS3: 9.8
github
около 3 лет назад

The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

oracle-oval логотип

ELSA-2016-1137

oracle-oval
около 9 лет назад

ELSA-2016-1137: openssl security update (IMPORTANT)

EPSS

Процентиль: 98%
0.54206
Средний

5.6 Medium

CVSS3

5.1 Medium

CVSS2