Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2016-2105

Published: 05/05/2016 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Enterprise Linux Desktop

Vulnerability Summary

Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL prior to 1.0.1t and 1.0.2 prior to 1.0.2h allows remote malicious users to cause a denial of service (heap memory corruption) via a large amount of binary data.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

redhat enterprise linux desktop 6.0

redhat enterprise linux server 6.0

redhat enterprise linux workstation 6.0

redhat enterprise linux hpc node 6

opensuse leap 42.1

opensuse opensuse 13.2

oracle mysql

redhat enterprise linux desktop 7.0

redhat enterprise linux server aus 7.2

redhat enterprise linux workstation 7.0

redhat enterprise linux server 7.0

redhat enterprise linux hpc node 7.0

redhat enterprise linux server eus 7.2

redhat enterprise linux hpc node eus 7.2

apple mac os x 10.11.5

openssl openssl 1.0.1m

openssl openssl 1.0.2a

openssl openssl 1.0.1j

openssl openssl 1.0.1

openssl openssl 1.0.1h

openssl openssl 1.0.2e

openssl openssl 1.0.1r

openssl openssl 1.0.2b

openssl openssl 1.0.1c

openssl openssl 1.0.1g

openssl openssl 1.0.2g

openssl openssl 1.0.1a

openssl openssl 1.0.1d

openssl openssl 1.0.2c

openssl openssl 1.0.2

openssl openssl 1.0.1p

openssl openssl 1.0.1k

openssl openssl 1.0.1b

openssl openssl 1.0.1n

openssl openssl 1.0.1q

openssl openssl 1.0.1e

openssl openssl 1.0.1l

openssl openssl 1.0.1f

openssl openssl 1.0.1s

openssl openssl 1.0.1o

openssl openssl 1.0.2f

openssl openssl 1.0.1i

openssl openssl 1.0.2d

debian debian linux 8.0

canonical ubuntu linux 12.04

canonical ubuntu linux 16.04

canonical ubuntu linux 15.10

canonical ubuntu linux 14.04

nodejs node.js

nodejs node.js 6.0.0

Vendor Advisories

Red Hat: Important: openssl security update
Synopsis Important: openssl security update Type/Severity Security Advisory: Important Topic An update for openssl is now available for Red Hat Enterprise Linux 67 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring ...
Red Hat: Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release
Synopsis Important: Red Hat JBoss Core Services Apache HTTP 2423 Release Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services httpd 2423 is now available from the Red Hat Customer Portal for Solaris and Microsoft Windows systemsRed Hat Product Security has rated this release as ...
Ubuntu Security Notice: openssl vulnerabilities
Several security issues were fixed in OpenSSL ...
Debian Security Advisories: DSA-3566-1 openssl -- security update
Several vulnerabilities were discovered in OpenSSL, a Secure Socket Layer toolkit CVE-2016-2105 Guido Vranken discovered that an overflow can occur in the function EVP_EncodeUpdate(), used for Base64 encoding, if an attacker can supply a large amount of data This could lead to a heap corruption CVE-2016-2106 Guido Vranken discov ...
Amazon Linux AMI: ALAS-2016-695
A vulnerability was discovered that allows a man-in-the-middle attacker to use a padding oracle attack to decrypt traffic on a connection using an AES CBC cipher with a server supporting AES-NI (CVE-2016-2107, Important) It was discovered that the ASN1 parser can misinterpret a large universal tag as a negative value If an application deserializ ...
Red Hat: CVE-2016-2105
An integer overflow flaw, leading to a buffer overflow, was found in the way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of input data A remote attacker could use this flaw to crash an application using OpenSSL or, possibly, execute arbitrary code with the permissions of the user running that application ...
Tenable Security Advisories: [R5] OpenSSL '20160503' Advisory Affects Tenable Products
Nessus and SecurityCenter are potentially impacted by several vulnerabilities in OpenSSL that were recently disclosed and fixed Note that due to the time involved in doing a full analysis of each issue, Tenable has opted to upgrade the included version of OpenSSL as a precaution, and to save time The issues include: CVE-2016-2107 - OpenSSL AES-N ...
Tenable Security Advisories: [R7] LCE 4.8.1 Fixes Multiple Vulnerabilities
The Log Correlation Engine (LCE) is potentially impacted by several vulnerabilities in OpenSSL (20160503), libpcre / PCRE, Libxml2, Handlebars, libcurl, and jQuery that were recently disclosed and fixed Note that due to the time involved in doing a full analysis of each issue, Tenable has opted to upgrade the included versions of each library as a ...
Tenable Security Advisories: [R3] PVS 5.1.0 Fixes Multiple Third-party Library Vulnerabilities
Tenable's Passive Vulnerability Scanner (PVS) uses third-party libraries to provide certain standardized functionality Two of these libraries were found to contain vulnerabilities and were fixed upstream Those fixes have been integrated despite there being no known exploitation scenarios related to PVS OpenSSL ASN1 Encoder Negative Zero Value ...

ICS Advisories

Siemens SCALANCE X-200RNA Switch Devices

Exploits

Exploit DB: Orion Elite Hidden IP Browser Pro 7.9 OpenSSL / Tor / Man-In-The-Middle
Orion Elite Hidden IP Browser Pro versions 10 through 79 have insecure versions of Tor and OpenSSL included and also suffer from man-in-the-middle vulnerabilities ...

Github Repositories

https://github.com/securityrouter/changelog

Security router changelog

The securityrouterorg project is a network operating system and software distribution based on OpenBSD which is developed and maintained by Halon Security New systems are deployed by downloading a software image The easiest way to update existing systems is to perform an automatic update from within the product's administration New major versions can contain configurat

Recent Articles

Yay! It's International Patch Your Scary OpenSSL Bugs Day!
The Register • Iain Thomson in San Francisco • 03 May 2016

Two innocent programming blunders breed high-risk flaw

Six security patches – two of them high severity – have been released today for OpenSSL 1.0.1 and 1.0.2. Last week, the open-source crypto-library project warned that a bunch of fixes were incoming, and true enough, Tuesday’s updates address serious flaws that should be installed as soon as possible. CVE-2016-2108 is a curious beast; a hybrid of two low-risk bugs that can be fused into a serious problem. The first is a seemingly innocuous issue with the ASN.1 parser whereby if a zero is re...

Read more...

References

CWE-190https://www.openssl.org/news/secadv/20160503.txthttps://kc.mcafee.com/corporate/index?page=content&id=SB10160http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0722.htmlhttp://rhn.redhat.com/errata/RHSA-2016-0996.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://lists.apple.com/archives/security-announce/2016/Jul/msg00000.htmlhttps://support.apple.com/HT206903http://www.securityfocus.com/bid/91787http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1650.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1648.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1649.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149http://www.securityfocus.com/bid/89757http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00016.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00014.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-May/184605.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00018.htmlhttps://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.aschttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00010.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-May/183457.htmlhttp://www.ubuntu.com/usn/USN-2959-1http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00036.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00013.htmlhttp://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.542103http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00055.htmlhttp://www.securitytracker.com/id/1035721http://www.debian.org/security/2016/dsa-3566http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00030.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-opensslhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00008.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-May/183607.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-05/msg00029.htmlhttps://bto.bluecoat.com/security-advisory/sa123http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.htmlhttps://security.gentoo.org/glsa/201612-16http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722https://www.tenable.com/security/tns-2016-18https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_ushttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttps://security.netapp.com/advisory/ntap-20160504-0001/https://source.android.com/security/bulletin/pixel/2017-11-01http://rhn.redhat.com/errata/RHSA-2016-2957.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2073.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2056.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=5b814481f3573fa9677f3a31ee51322e2a22ee6ahttps://access.redhat.com/errata/RHSA-2016:2073https://usn.ubuntu.com/2959-1/https://nvd.nist.govhttps://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27977IMAPlocal usersCVE-2024-32038CVE-2023-49963CVE-2023-22869CVE-2024-31497localCVE-2024-2961
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook