[Forgot Password]
Login  Register Subscribe

23631

 
 

115084

 
 

97147

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
OVAL

ALAS-2016-695 ---- openssl

ID: oval:org.secpod.oval:def:1600397Date: (C)2016-05-19   (M)2017-11-10
Class: PATCHFamily: unix




A vulnerability was discovered that allows a man-in-the-middle attacker to use a padding oracle attack to decrypt traffic on a connection using an AES CBC cipher with a server supporting AES-NI. It was discovered that the ASN.1 parser can misinterpret a large universal tag as a negative value. If an application deserializes and later reserializes untrusted ASN.1 structures containing an ANY field, an attacker may be able to trigger an out-of-bounds write, which can cause potentially exploitable memory corruption. An overflow bug was discovered in the EVP_EncodeUpdate function. An attacker could supply very large amounts of input data to overflow a length check, resulting in heap corruption. An overflow bug was discovered in the EVP_EncryptUpdate function. An attacker could supply very large amounts of input data to overflow a length check, resulting in heap corruption. An issue was discovered in the BIO functions, such as d2i_CMS_bio, where a short invalid encoding in ASN.1 data can cause allocation of large amounts of memory, potentially resulting in a denial of service

Platform:
Amazon Linux AMI
Product:
openssl
Reference:
ALAS-2016-695
CVE-2016-2105
CVE-2016-2107
CVE-2016-2106
CVE-2016-2109
CVE-2016-2108
CVE    5
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
...
CPE    45
cpe:/o:amazon:linux
cpe:/a:openssl:openssl:1.0.2a
cpe:/a:openssl:openssl:1.0.2
cpe:/o:google:android:4.3.1
...

© 2013 SecPod Technologies