CVE-2016-2108

Impact:
Important
Public Date:
2016-05-03
IAVA:
2016-A-0230
CWE:
CWE-787
Bugzilla:
1331402: CVE-2016-2108 openssl: Memory corruption in the ASN.1 encoder
A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library.

Find out more about CVE-2016-2108 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 5.1
Base Metrics AV:N/AC:H/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity High
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

CVSS v3 metrics

CVSS3 Base Score 5.6
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact Low

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2016:2056 2016-10-12
Red Hat JBoss Core Services on RHEL 7 Server RHSA-2017:0194 2017-01-25
Red Hat Enterprise Linux Extended Update Support 6.7 (openssl) RHSA-2016:2073 2016-10-18
Red Hat Enterprise Linux 5 (openssl) RHSA-2016:1137 2016-05-31
Red Hat Enterprise Linux 6 (openssl) RHSA-2016:0996 2016-05-10
Red Hat JBoss Core Services 1 RHSA-2016:2957 2016-12-15
Red Hat Enterprise Linux 7 (openssl) RHSA-2016:0722 2016-05-09
Red Hat JBoss Core Services on RHEL 6 Server RHSA-2017:0193 2017-01-25

Affected Packages State

Platform Package State
Red Hat JBoss Web Server 3.0 openssl Fix deferred
Red Hat JBoss EWS 2 openssl Not affected
Red Hat JBoss EAP 5 openssl Not affected
Red Hat Enterprise Linux 7 openssl098e Will not fix
Red Hat Enterprise Linux 6 openssl098e Will not fix
Red Hat Enterprise Linux 5 openssl097a Will not fix
Red Hat Enterprise Linux 4 openssl Will not fix
Red Hat Enterprise Linux 4 openssl096b Will not fix

Acknowledgements

Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Huzaifa Sidhpurwala (Red Hat), Hanno Böck, and David Benjamin (Google) as the original reporters.

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.