OpenSSL Memory corruption in the ASN.1 encoder (CVE-2016-2108)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | May 04, 2016 | May 04, 2016 | January 08, 2018 |
Description
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
- APPLE-APPLE-SA-2016-07-18-1
- BID-89752
- BID-91787
- CVE-2016-2108
- DEBIAN-DSA-3566
- DISA_SEVERITY-Category I
- IAVM-2016-A-0230
- REDHAT-RHSA-2016:0722
- REDHAT-RHSA-2016:0996
- REDHAT-RHSA-2016:1137
- REDHAT-RHSA-2016:2056
- REDHAT-RHSA-2016:2073
- REDHAT-RHSA-2016:2957
- REDHAT-RHSA-2017:0193
- REDHAT-RHSA-2017:0194
- URL: https://www.openssl.org/news/secadv/20160503.txt
Solution
http-openssl-1_0_1-upgrade-1_0_1_oRelated Vulnerabilities
- Gentoo Linux: CVE-2015-7183: Mozilla Products: Multiple vulnerabilities
- Ubuntu: (Multiple Advisories) (CVE-2016-3606): OpenJDK 6 vulnerabilities
- Java CPU July 2016 Java SE, Java SE Embedded Libraries vulnerability (CVE-2016-3598)
- Red Hat: CVE-2016-2108: Important: openssl security update ((Multiple Advisories))
- HP-UX: CVE-2015-1793: OpenSSL Vulnerability (Alternative Chain Certificate Forgery)
- Ubuntu: USN-2959-1 (CVE-2016-2105): OpenSSL vulnerabilities
- Oracle Linux: (CVE-2016-3587) ELSA-2016-1458: java-1.8.0-openjdk security update
- Red Hat: CVE-2016-3521: Important: mariadb security update (RHSA-2016:1602)
- CentOS: (CVE-2016-3521) CESA-2016:1602: mariadb
- SUSE: CVE-2016-1978: SUSE Linux Security Advisory
- OS X update for Admin Framework (CVE-2015-4000)
- Amazon Linux AMI: CVE-2016-5440: Security patch for mysql55 ((Multiple Advisories))
- MFSA2015-70 SeaMonkey: NSS accepts export-length DHE keys with regular DHE cipher suites (CVE-2015-4000)
- Ubuntu: USN-2883-1 (CVE-2016-0701): OpenSSL vulnerability
- OS X update for apache (CVE-2015-1790)
- F5 Networks: K16864 (CVE-2015-2808): SSL/TLS RC4 vulnerability CVE-2015-2808
- Palo Alto Networks (Multiple Advisories) (CVE-2015-1792): OpenSSL Vulnerabilities
- Gentoo Linux: CVE-2015-3237: cURL: Multiple vulnerabilities
- SUSE: CVE-2015-5600: SUSE Linux Security Advisory
- Gentoo Linux: CVE-2016-1978: Mozilla Products: Multiple vulnerabilities
- HP Systems Insight Manager - HPSBMU03394 (CVE-2015-1791): Linux and Windows, Multiple Vulnerabilities
- CentOS: (CVE-2016-0800) (Multiple Advisories): openssl098e
- SUSE: CVE-2016-3458: SUSE Linux Security Advisory
- Debian: CVE-2016-3521: mariadb-10.0 -- security update
- RHSA-2016:0996: openssl security update
- F5 Networks: K25075696 (CVE-2016-3500): Oracle Java vulnerability CVE-2016-3500
- Alpine Linux: CVE-2016-2106: openssl Multiple vulnerabilities
- Java CPU July 2016 Java SE, Java SE Embedded Hotspot vulnerability (CVE-2016-3550)
- SUSE: CVE-2016-3501: SUSE Linux Security Advisory
- Oracle Solaris 11: CVE-2015-3236: Vulnerability in libcurl
- Amazon Linux AMI: CVE-2016-3459: Security patch for mysql56 (ALAS-2016-737)
- F5 Networks: K31026324 (CVE-2015-8104): Linux kernel vulnerabilities CVE-2015-2925, CVE-2015-5307, and CVE-2015-8104
- IBM AIX: java_april2015_advisory, rc4_advisory (CVE-2015-2808): Vulnerability in IBM Java SDK affects AIX
- Debian: CVE-2016-0797: openssl -- security update
- Oracle Solaris 11: CVE-2015-1788: Vulnerability in OpenSSL
- Debian: CVE-2015-7182: nss -- security update
- Huawei EulerOS: CVE-2016-4052: squid security update
- Huawei EulerOS: CVE-2016-3521: mariadb security update
- CentOS: (CVE-2016-3606) (Multiple Advisories): java-1.6.0-openjdk
- FreeBSD: FreeBSD -- Multiple OpenSSL vulnerabilities (FreeBSD-SA-16:12.openssl) (Multiple CVEs)
- Amazon Linux AMI: CVE-2016-0797: Security patch for openssl (ALAS-2016-661)
- Huawei EulerOS: CVE-2016-3610: java-1.7.0-openjdk security update
- MFSA2015-133 Firefox: NSS and NSPR memory corruption issues (CVE-2015-7182)
- Gentoo Linux: CVE-2015-0204: OpenSSL: Multiple vulnerabilities
- FreeBSD: node -- multiple vulnerabilities (Multiple CVEs)
- Apache HTTPD: mod_lua: Crash in websockets PING handling (CVE-2015-0228)
- Oracle Linux: (CVE-2016-2109) (Multiple Advisories): openssl security update
- Oracle Solaris 11: CVE-2016-5444: Vulnerability in MySQL
- Ubuntu: USN-3040-1 (CVE-2016-5437): MySQL vulnerabilities
- Amazon Linux AMI: CVE-2016-4051: Security patch for squid ((Multiple Advisories))
- Amazon Linux AMI: CVE-2016-4052: Security patch for squid (ALAS-2016-713)
- FreeBSD: openssl -- multiple vulnerabilities (FreeBSD-SA-15:26.openssl) (Multiple CVEs)
- FreeBSD: apache22 -- chunk header parsing defect (CVE-2015-3183)
- Ubuntu: USN-2830-1 (CVE-2015-3193): OpenSSL vulnerabilities
- Ubuntu: USN-2959-1 (CVE-2016-2106): OpenSSL vulnerabilities
- HP-UX: CVE-2015-1790: OpenSSL Vulnerability (PKCS7 crash with missing EnvelopedContent)
- Amazon Linux AMI: CVE-2016-3458: Security patch for java-1.6.0-openjdk ((Multiple Advisories))
- Oracle Linux: (CVE-2016-3550) (Multiple Advisories): java-1.6.0-openjdk security update
- Ubuntu: (Multiple Advisories) (CVE-2015-7181): Thunderbird vulnerabilities
- Gentoo Linux: CVE-2016-0799: OpenSSL: Multiple vulnerabilities
- SUSE: CVE-2016-3511: SUSE Linux Security Advisory
- Cisco SAN-OS: Multiple Vulnerabilities in OpenSSL (January 2016) Affecting Cisco Products (CVE-2016-0701)
- Oracle Solaris 11: CVE-2015-7183: Vulnerability in Firefox, Thunderbird
- SUSE: CVE-2015-0228: SUSE Linux Security Advisory
- SUSE: CVE-2015-7182: SUSE Linux Security Advisory
- Cisco ASA: CVE-2015-3194: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products December 2015 (cisco-sa-20151204-openssl)
- HP-UX: CVE-2015-1791: OpenSSL Vulnerability (Race condition handling NewSessionTicket)
- IBM AIX: openssl_advisory20 (CVE-2016-2108): Vulnerabilities in OpenSSL affects AIX
- Gentoo Linux: CVE-2016-3598: Oracle JRE/JDK: Multiple vulnerabilities
- Oracle Solaris 11: CVE-2016-5469: Vulnerability in Kernel
- Apache Struts: CVE-2016-1182: XSS and denial of service
- F5 Networks: K16915 (CVE-2015-1792): OpenSSL vulnerability CVE-2015-1792
- SUSE: CVE-2016-0799: SUSE Linux Security Advisory
- Huawei EulerOS: CVE-2016-3452: mariadb security update
- Oracle Linux: (CVE-2016-3615) ELSA-2016-1602: mariadb security update
- Juniper Junos OS: 2015-05 Out of Cycle Security Bulletin: "Logjam" passive attack on sub-1024 DH groups, and active downgrade attack of TLS to DHE_EXPORT (JSA10681) (CVE-2015-4000)
- Red Hat: CVE-2016-2105: Important: openssl security update ((Multiple Advisories))
- F5 Networks: K16124 (CVE-2015-0206): OpenSSL vulnerability CVE-2015-0206
- Red Hat: CVE-2016-5440: Important: mariadb security update (RHSA-2016:1602)
- CentOS: (CVE-2016-4053) (Multiple Advisories): squid34
- Alpine Linux: CVE-2016-2105: openssl Multiple vulnerabilities
- OpenSSL PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
- MFSA2015-150 Thunderbird: MD5 signatures accepted within TLS 1.2 ServerKeyExchange in server signature (CVE-2015-7575)
- HP Systems Insight Manager - HPSBMU03394 (CVE-2015-1789): Linux and Windows, Multiple Vulnerabilities
- Red Hat: CVE-2016-2106: Important: openssl security update ((Multiple Advisories))
- Oracle MySQL Vulnerability: CVE-2016-3614
- Juniper Junos OS: 2018-04 Security Bulletin: OpenSSL Security Advisory [07 Dec 2017] (JSA10851) (multiple CVEs)
- Amazon Linux AMI: CVE-2016-3452: Security patch for mysql55 (ALAS-2016-738)
- Sun Patch: SunOS 5.10: OpenSSL 0.9.7 patch
- OS X update for OpenSSL (CVE-2015-1791)
- Gentoo Linux: CVE-2016-2108: OpenSSL: Multiple vulnerabilities
- Oracle Solaris 11: CVE-2016-5437: Vulnerability in MySQL
- Debian: CVE-2016-0798: openssl -- security update
- Oracle Linux: (CVE-2016-4052) (Multiple Advisories): squid security, bug fix, and enhancement update
- IBM WebSphere Application Server: CVE-2015-7575: IBM Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server January 2016 CPU (CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)
- CentOS: (CVE-2015-7575) (Multiple Advisories): java-1.7.0-openjdk
- Gentoo Linux: CVE-2016-3511: Oracle JRE/JDK: Multiple vulnerabilities
- HP-UX: CVE-2015-0204: Potential security vulnerabilities have been identified with HP-UX running OpenSSL. These vulnerabilities could be exploited remotely to create a remote Denial of Service (DoS) and other vulnerabilites.
- Oracle Solaris 11: CVE-2015-4000: Vulnerability in LFTP, OpenSSL, Thunderbird
- OS X update for LibreSSL (CVE-2016-2109)