[Forgot Password]
Login  Register Subscribe

24003

 
 

131573

 
 

108741

 
 

909

 
 

85475

 
 

134

Paid content will be excluded from the download.


Download | Alert*
OVAL

ALAS-2016-695 ---- openssl

ID: oval:org.secpod.oval:def:1600397Date: (C)2016-05-19   (M)2018-05-06
Class: PATCHFamily: unix




A vulnerability was discovered that allows a man-in-the-middle attacker to use a padding oracle attack to decrypt traffic on a connection using an AES CBC cipher with a server supporting AES-NI. It was discovered that the ASN.1 parser can misinterpret a large universal tag as a negative value. If an application deserializes and later reserializes untrusted ASN.1 structures containing an ANY field, an attacker may be able to trigger an out-of-bounds write, which can cause potentially exploitable memory corruption. An overflow bug was discovered in the EVP_EncodeUpdate function. An attacker could supply very large amounts of input data to overflow a length check, resulting in heap corruption. An overflow bug was discovered in the EVP_EncryptUpdate function. An attacker could supply very large amounts of input data to overflow a length check, resulting in heap corruption. An issue was discovered in the BIO functions, such as d2i_CMS_bio, where a short invalid encoding in ASN.1 data can cause allocation of large amounts of memory, potentially resulting in a denial of service

Platform:
Amazon Linux AMI
Product:
openssl
Reference:
ALAS-2016-695
CVE-2016-2105
CVE-2016-2107
CVE-2016-2106
CVE-2016-2109
CVE-2016-2108
CVE    5
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
...
CPE    2
cpe:/o:amazon:linux
cpe:/a:openssl:openssl

© SecPod Technologies