Bug 1330101 (CVE-2016-2109)
Summary: | CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | akjain, anemec, bbaranow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dknox, dosoudil, erik-fedora, fnasser, gzaronik, hkario, huwang, jaeshin, jason.greene, jawilson, jboss-set, jclere, jdoyle, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, ryan.parman, sardella, slawomir, tmraz, twalsh, vtunka, weli, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://issues.redhat.com/browse/JBCS-88 | ||
Whiteboard: | |||
Fixed In Version: | openssl 1.0.1t, openssl 1.0.2h | Doc Type: | Bug Fix |
Doc Text: |
A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-02-22 12:29:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1330103, 1330104, 1330105, 1331569, 1331570, 1331865, 1331866, 1332974, 1337161, 1337162, 1366994 | ||
Bug Blocks: | 1330106, 1395463 |
Description
Martin Prpič
2016-04-25 12:12:52 UTC
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1330105] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1330103] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1330104] Upstream test case: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9f13d4dd5ec420fb2fa0a7b94a6d66bb2700a492 External References: https://openssl.org/news/secadv/20160503.txt Details from the upstream advisory: ASN.1 BIO excessive memory allocation (CVE-2016-2109) ===================================================== Severity: Low When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() a short invalid encoding can casuse allocation of large amounts of memory potentially consuming excessive resources or exhausting memory. Any application parsing untrusted data through d2i BIO functions is affected. The memory based functions such as d2i_X509() are *not* affected. Since the memory based functions are used by the TLS library, TLS applications are not affected. OpenSSL 1.0.2 users should upgrade to 1.0.2h OpenSSL 1.0.1 users should upgrade to 1.0.1t This issue was reported to OpenSSL on 4th April 2016 by Brian Carpenter. The fix was developed by Stephen Henson of the OpenSSL development team. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.10 Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html This issue has been addressed in the following products: Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html |