{
  "threat_severity" : "Important",
  "public_date" : "2016-11-15T00:00:00Z",
  "bugzilla" : {
    "description" : "hdf5: H5Z_NBIT heap buffer overflow",
    "id" : "1397704",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1397704"
  },
  "cvss" : {
    "cvss_base_score" : "6.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P",
    "status" : "draft"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-122",
  "details" : [ "When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution.", "Multiple heap overflows were found in HDF5. These issues could be used to gain code execution in any program that exposes the affected functions to untrusted input. While HDF5 is shipped as a dependency, no Red Hat products are known to expose these issues in any supported use case at this time." ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)",
    "fix_state" : "Will not fix",
    "package_name" : "hdf5",
    "cpe" : "cpe:/a:redhat:openstack:7",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Will not fix",
    "package_name" : "hdf5",
    "cpe" : "cpe:/a:redhat:openshift:2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "hdf5",
    "cpe" : "cpe:/a:redhat:openstack:10",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 11 (Ocata)",
    "fix_state" : "Not affected",
    "package_name" : "hdf5",
    "cpe" : "cpe:/a:redhat:openstack:11",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty)",
    "fix_state" : "Will not fix",
    "package_name" : "hdf5",
    "cpe" : "cpe:/a:redhat:openstack:8",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "hdf5",
    "cpe" : "cpe:/a:redhat:openstack:9",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-4331\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4331\nhttp://www.talosintelligence.com/reports/TALOS-2016-0177/" ],
  "name" : "CVE-2016-4331",
  "csaw" : false
}