Bug 1377594 (CVE-2016-6306) - CVE-2016-6306 openssl: certificate message OOB reads
Summary: CVE-2016-6306 openssl: certificate message OOB reads
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-6306
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1377623 1377624 1377625 1377626 1378408 1378409 1378410 1378411 1381817 1381818
Blocks: 1367347
TreeView+ depends on / blocked
 
Reported: 2016-09-20 07:51 UTC by Tomas Hoger
Modified: 2021-02-17 03:19 UTC (History)
37 users (show)

Fixed In Version: openssl 1.0.1u, openssl 1.0.2i
Doc Type: If docs needed, set a value
Doc Text:
Multiple out of bounds read flaws were found in the way OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:58:53 UTC
Embargoed:

Attachments (Terms of Use)
OpenSSL upstream fix (2.95 KB, patch)
2016-09-20 08:01 UTC, Tomas Hoger 		no flags Details | Diff
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2662211 0 None None None 2016-09-28 00:44:04 UTC
Red Hat Product Errata RHSA-2016:1940 0 normal SHIPPED_LIVE Important: openssl security update 2016-09-27 17:46:00 UTC
Red Hat Product Errata RHSA-2018:2185 0 None None None 2018-07-12 16:16:50 UTC
Red Hat Product Errata RHSA-2018:2186 0 None None None 2018-07-12 16:14:45 UTC
Red Hat Product Errata RHSA-2018:2187 0 None None None 2018-07-12 16:05:12 UTC

Description Tomas Hoger 2016-09-20 07:51:51 UTC 
Quoting form the draft of the OpenSSL upstream advisory:

Certificate message OOB reads (CVE-2016-6306)
=============================================

Severity: Low

In OpenSSL 1.0.2 and earlier some missing message length checks can result in
OOB reads of up to 2 bytes beyond an allocated buffer. There is a theoretical
DoS risk but this has not been observed in practice on common platforms.

The messages affected are client certificate, client certificate request and
server certificate. As a result the attack can only be performed against
a client or a server which enables client authentication.

OpenSSL 1.1.0 is not affected.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 22nd August 2016 by Shi Lei (Gear Team,
Qihoo 360 Inc.). The fix was developed by Stephen Henson of the OpenSSL
development team.
Comment 1 Tomas Hoger 2016-09-20 07:51:57 UTC 
Acknowledgments:

Name: the OpenSSL project
Upstream: Shi Lei (Gear Team of Qihoo 360 Inc.)
Comment 2 Tomas Hoger 2016-09-20 08:01:52 UTC 
Created attachment 1202764 [details]
OpenSSL upstream fix
Comment 4 Tomas Hoger 2016-09-21 18:31:41 UTC 
Upstream commit:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=52e623c4cb06fffa9d5e75c60b34b4bc130b12e9
Comment 5 Tomas Hoger 2016-09-21 21:41:13 UTC 
Additional follow-up patch to avoid protection against similar short over reads:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bb1a4866034255749ac578adb06a76335fc117b1

Similar change was part of the patch attached in comment 2, but was extended to cover both TLS/SSL and DTLS.
Comment 6 Tomas Hoger 2016-09-22 10:58:53 UTC 
Public now via upstream advisory.

External Reference:

https://www.openssl.org/news/secadv/20160922.txt
Comment 7 Tomas Hoger 2016-09-22 11:03:34 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1378409]
Comment 8 Tomas Hoger 2016-09-22 11:03:41 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1378408]
Comment 9 Tomas Hoger 2016-09-22 11:03:47 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1378410]
Affects: epel-7 [bug 1378411]
Comment 10 errata-xmlrpc 2016-09-27 13:55:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
Comment 13 errata-xmlrpc 2018-07-12 16:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2018:2187 https://access.redhat.com/errata/RHSA-2018:2187
Comment 14 errata-xmlrpc 2018-07-12 16:14:35 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2018:2186 https://access.redhat.com/errata/RHSA-2018:2186
Comment 15 errata-xmlrpc 2018-07-12 16:16:38 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2018:2185 https://access.redhat.com/errata/RHSA-2018:2185
Note You need to log in before you can comment on or make changes to this bug.