Bug 1367340 (CVE-2016-2182)
Summary: | CVE-2016-2182 openssl: Out-of-bounds write caused by unchecked errors in BN_bn2dec() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apmukher, bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dosoudil, erik-fedora, gzaronik, jaeshin, jawilson, jclere, ktietz, lgao, marcandre.lureau, mbabacek, Michael, mturk, myarboro, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, sardella, slawomir, tmraz, twalsh, vtunka, weli, ykawada, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openssl 1.0.1u, openssl 1.0.2i | Doc Type: | If docs needed, set a value |
Doc Text: |
An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an application using OpenSSL to process a large BIGNUM could cause the application to crash or, possibly, execute arbitrary code.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:57:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1367343, 1367344, 1367345, 1377623, 1377624, 1377625, 1377626, 1381805, 1381806 | ||
Bug Blocks: | 1367347 |
Description
Adam Mariš
2016-08-16 08:54:55 UTC
Created openssl101e tracking bugs for this issue: Affects: epel-5 [bug 1367345] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1367343] Created mingw-openssl tracking bugs for this issue: Affects: fedora-all [bug 1367344] Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i. OOB write in BN_bn2dec() (CVE-2016-2182) ======================================== Severity: Low The function BN_bn2dec() does not check the return value of BN_div_word(). This can cause an OOB write if an application uses this function with an overly large BIGNUM. This could be a problem if an overly large certificate or CRL is printed out from an untrusted source. TLS is not affected because record limits will reject an oversized certificate before it is parsed. OpenSSL 1.0.2 users should upgrade to 1.0.2i OpenSSL 1.0.1 users should upgrade to 1.0.1u This issue was reported to OpenSSL on 2nd August 2016 by Shi Lei (Gear Team, Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL development team. External References: https://www.openssl.org/news/secadv/20160922.txt Why is this Severity: Low? The NIST NVD has it listed as High severity. https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2016-2182&vector=(AV:N/AC:M/Au:N/C:N/I:N/A:P) (In reply to Adam Mariš from comment #0) > Upstream patch: > > https://git.openssl.org/?p=openssl.git;a=commit; > h=07bed46f332fce8c1d157689a2cdf915a982ae34 This additional commit is also needed to correctly fix this issue: https://git.openssl.org/?p=openssl.git;a=commitdiff;h=3612ff6fcec0e3d1f2a598135fe12177c0419582 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185 |