Bug 1330101 (CVE-2016-2109) - CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data
Summary: CVE-2016-2109 openssl: ASN.1 BIO handling of large amounts of data
Status: CLOSED ERRATA
Alias: CVE-2016-2109
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160423,reported=2...
Keywords: Security
Depends On: 1330103 1330104 1330105 1331569 1331570 1331865 1331866 1332974 1337161 1337162 1366994
Blocks: 1330106 1395463
TreeView+ depends on / blocked
 
Reported: 2016-04-25 12:12 UTC by Martin Prpič
Modified: 2017-02-22 12:29 UTC (History)
43 users (show)

Fixed In Version: openssl 1.0.1t, openssl 1.0.2h
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-02-22 12:29:31 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0722 normal SHIPPED_LIVE Important: openssl security update 2016-05-09 13:28:24 UTC
Red Hat Product Errata RHSA-2016:0996 normal SHIPPED_LIVE Important: openssl security update 2016-05-10 08:18:56 UTC
Red Hat Product Errata RHSA-2016:2056 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.10 update 2016-10-12 20:57:34 UTC
Red Hat Product Errata RHSA-2016:2073 normal SHIPPED_LIVE Important: openssl security update 2016-10-18 11:08:06 UTC
Red Hat Product Errata RHSA-2016:2957 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release 2016-12-16 03:11:19 UTC
Red Hat Knowledge Base (Solution) 2298211 None None None 2016-05-05 23:21 UTC

Description Martin Prpič 2016-04-25 12:12:52 UTC 
An input validation flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data, potentially resulting in a denial of service.

Upstream commit:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=c62981390d6cf9e3d612c489b8b77c2913b25807
Comment 1 Martin Prpič 2016-04-25 12:14:19 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1330105]
Comment 2 Martin Prpič 2016-04-25 12:14:31 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1330103]
Comment 3 Martin Prpič 2016-04-25 12:14:43 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1330104]
Comment 7 Martin Prpič 2016-05-03 14:18:27 UTC 
External References:

https://openssl.org/news/secadv/20160503.txt
Comment 9 Tomas Hoger 2016-05-04 13:33:22 UTC 
Details from the upstream advisory:

ASN.1 BIO excessive memory allocation (CVE-2016-2109)
=====================================================

Severity: Low

When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.

Any application parsing untrusted data through d2i BIO functions is affected.
The memory based functions such as d2i_X509() are *not* affected. Since the
memory based functions are used by the TLS library, TLS applications are not
affected.

OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t

This issue was reported to OpenSSL on 4th April 2016 by Brian Carpenter.
The fix was developed by Stephen Henson of the OpenSSL development team.
Comment 10 errata-xmlrpc 2016-05-09 09:28:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0722 https://rhn.redhat.com/errata/RHSA-2016-0722.html
Comment 11 errata-xmlrpc 2016-05-10 04:20:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0996 https://rhn.redhat.com/errata/RHSA-2016-0996.html
Comment 15 Fedora Update System 2016-05-27 23:17:13 UTC 
openssl101e-1.0.1e-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 errata-xmlrpc 2016-10-12 17:00:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.10

Via RHSA-2016:2056 https://rhn.redhat.com/errata/RHSA-2016-2056.html
Comment 20 errata-xmlrpc 2016-10-12 17:08:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2016:2054 https://rhn.redhat.com/errata/RHSA-2016-2054.html
Comment 21 errata-xmlrpc 2016-10-12 17:19:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2016:2055 https://rhn.redhat.com/errata/RHSA-2016-2055.html
Comment 24 errata-xmlrpc 2016-10-18 07:08:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:2073 https://rhn.redhat.com/errata/RHSA-2016-2073.html
Comment 26 errata-xmlrpc 2016-12-15 22:16:58 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
Note You need to log in before you can comment on or make changes to this bug.