Bug 1377594 (CVE-2016-6306) - CVE-2016-6306 openssl: certificate message OOB reads
Summary: CVE-2016-6306 openssl: certificate message OOB reads
Alias: CVE-2016-6306
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1377623 1377624 1377625 1377626 1378408 1378409 1378410 1378411 1381817 1381818
Blocks: 1367347
TreeView+ depends on / blocked
Reported: 2016-09-20 07:51 UTC by Tomas Hoger
Modified: 2019-12-16 06:49 UTC (History)
37 users (show)

Fixed In Version: openssl 1.0.1u, openssl 1.0.2i
Doc Type: If docs needed, set a value
Doc Text:
Multiple out of bounds read flaws were found in the way OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL.
Clone Of:
Last Closed: 2019-06-08 02:58:53 UTC

Attachments (Terms of Use)
OpenSSL upstream fix (2.95 KB, patch)
2016-09-20 08:01 UTC, Tomas Hoger
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2662211 None None None 2016-09-28 00:44:04 UTC
Red Hat Product Errata RHSA-2016:1940 normal SHIPPED_LIVE Important: openssl security update 2016-09-27 17:46:00 UTC
Red Hat Product Errata RHSA-2018:2185 None None None 2018-07-12 16:16:50 UTC
Red Hat Product Errata RHSA-2018:2186 None None None 2018-07-12 16:14:45 UTC
Red Hat Product Errata RHSA-2018:2187 None None None 2018-07-12 16:05:12 UTC

Description Tomas Hoger 2016-09-20 07:51:51 UTC
Quoting form the draft of the OpenSSL upstream advisory:

Certificate message OOB reads (CVE-2016-6306)

Severity: Low

In OpenSSL 1.0.2 and earlier some missing message length checks can result in
OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
DoS risk but this has not been observed in practice on common platforms.

The messages affected are client certificate, client certificate request and
server certificate. As a result the attack can only be performed against
a client or a server which enables client authentication.

OpenSSL 1.1.0 is not affected.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.

Comment 1 Tomas Hoger 2016-09-20 07:51:57 UTC

Name: the OpenSSL project
Upstream: Shi Lei (Gear Team of Qihoo 360 Inc.)

Comment 2 Tomas Hoger 2016-09-20 08:01:52 UTC
Created attachment 1202764 [details]
OpenSSL upstream fix

Comment 5 Tomas Hoger 2016-09-21 21:41:13 UTC
Additional follow-up patch to avoid protection against similar short over reads:


Similar change was part of the patch attached in comment 2, but was extended to cover both TLS/SSL and DTLS.

Comment 6 Tomas Hoger 2016-09-22 10:58:53 UTC
Public now via upstream advisory.

External Reference:


Comment 7 Tomas Hoger 2016-09-22 11:03:34 UTC
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1378409]

Comment 8 Tomas Hoger 2016-09-22 11:03:41 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1378408]

Comment 9 Tomas Hoger 2016-09-22 11:03:47 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1378410]
Affects: epel-7 [bug 1378411]

Comment 10 errata-xmlrpc 2016-09-27 13:55:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html

Comment 13 errata-xmlrpc 2018-07-12 16:04:56 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187

Comment 14 errata-xmlrpc 2018-07-12 16:14:35 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186

Comment 15 errata-xmlrpc 2018-07-12 16:16:38 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185

Note You need to log in before you can comment on or make changes to this bug.