vulnerability
Oracle Linux: CVE-2016-6515: ELSA-2017-2029: openssh security, bug fix, and enhancement update (MODERATE)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | Jul 21, 2016 | Aug 8, 2017 | Dec 3, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Jul 21, 2016
Added
Aug 8, 2017
Modified
Dec 3, 2025
Description
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords.
It was found that OpenSSH did not limit password lengths for password authentication. A remote unauthenticated attacker could use this flaw to temporarily trigger high CPU consumption in sshd by sending long passwords.
Solutions
oracle-linux-upgrade-opensshoracle-linux-upgrade-openssh-askpassoracle-linux-upgrade-openssh-cavsoracle-linux-upgrade-openssh-clientsoracle-linux-upgrade-openssh-keycatoracle-linux-upgrade-openssh-ldaporacle-linux-upgrade-openssh-serveroracle-linux-upgrade-openssh-server-sysvinitoracle-linux-upgrade-pam-ssh-agent-auth
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.