10
CVSSv2

CVE-2016-6309

Published: 26/09/2016 Updated: 12/07/2018
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 891
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote malicious users to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.

Vulnerability Trend

Affected Products

Vendor Product Versions
OpensslOpenssl1.1.0a

Vendor Advisories

statem/statemc in OpenSSL 110a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session ...
The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location This is likely to ...
Oracle Critical Patch Update Advisory - January 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory Th ...
Nessus is potentially impacted by several vulnerabilities in OpenSSL (20160926) that were recently disclosed and fixed Note that due to the time involved in doing a full analysis of each issue, Tenable has opted to upgrade the included version of OpenSSL as a precaution, and to save time These vulnerabilities may impact Nessus and include: CVE-2 ...
<!-- Start - Changes for Security Advisory Channel --> Security Advisory ID SYMSA1382 Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score: Legacy ID 6 Oct 2016 Open High CVSS v2: 100 SA132 ...
Oracle Critical Patch Update Advisory - October 2016 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity” Subsequently, on September 26, the OpenSSL Software Foundatio ...
Oracle Critical Patch Update Advisory - July 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...
Tenable's Passive Vulnerability Scanner (PVS) uses third-party libraries to provide certain standardized functionality Four of these libraries were found to contain vulnerabilities and were fixed upstream Those fixes have been integrated despite there being no known exploitation scenarios related to PVS OpenSSL ssl/statem/statemc read_state_ma ...
Oracle Critical Patch Update Advisory - April 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous ...
Oracle Critical Patch Update Advisory - April 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory Thus ...

Github Repositories

articles 个人博客。 本职工作从事恶意代码分析,时间有限,记录业余兴趣研究 fuzzing系列 基于protobuf构建fuzzer(libpng) opessl fuzzing测试学习过程 pwn DynELF leak函数导致堆栈不平衡 Linux x64 pwn 学习 恶意代码分析 记录一次恶心混淆之静态配置解密的处理 漏洞分析 tcpdump 451 crash 深入分析 CoolPlayer

honggfuzz Description A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options See USAGE for more data on the usage It's multi-threaded and multi-process: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores The file corpus is shared between threads (and fuzzed i

honggfuzz Description A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options See USAGE for more data on the usage It's multi-threaded and multi-process: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores The file corpus is shared between threads (and fuzzed i

honggfuzz Description A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options See USAGE for more data on the usage It's multi-threaded and multi-process: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores The file corpus is shared between threads (and fuzzed i

honggfuzz Description A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options See USAGE for more data on the usage It's multi-threaded and multi-process: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores The file corpus is shared between threads (and fuzzed i

honggfuzz Description A security oriented, feedback-driven, evolutionary, easy-to-use fuzzer with interesting analysis options See USAGE for the description of command-line options It's multi-process and multi-threaded: no need to run multiple copies of your fuzzer, as honggfuzz can unlock potential of all your available CPU cores with a single supervising process The

Recent Articles

Patch AGAIN: OpenSSL security fixes now need their own security fixes
The Register • Team Register • 26 Sep 2016

Recursion (n): See recursion

Sysadmins and devs, fresh from a weekend spoiled by last week's OpenSSL emergency patch, have another emergency patch to install.
One of last week's fixes, for CVE-2016-6307, created CVE-2016-6309, a dangling pointer security vulnerability.
As the fresh advisory states: “The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received, then the underlying buffer to store the incoming message is reallocated and moved.
“Unf...