CVE-2016-6304

CWE-401 — Memory Leak CWE-119 — Buffer Overflow CWE-310 CWE-635 CWE-400 — Uncontrolled Resource Consumption18 documents12 sources

Severity

7.5HIGH

EPSS

18.0%

top 4.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node.js Novell Suse Linux Enterprise Module FOR WEB Scripting Openssl Openssl

Timeline

PublishedSep 26

Latest updateMay 13

Description

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶Debianopenssl< 1.0.2i-1+3

▶Ubuntuopenssl< 1.0.1f-1ubuntu2.20+3

▶NVDopenssl/openssl30 versions+29

▶NVDnodejs/node.js0.10.0 — 0.10.47+3

▶NVDnovell/suse_linux_enterprise_module12.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-7c6f-r892-6p89: Multiple memory leaks in t1_lib↗2022-05-13

▶

CVEList

CVE-2016-6304: Multiple memory leaks in t1_lib↗2016-09-26

▶

OSV

CVE-2016-6304: Multiple memory leaks in t1_lib↗2016-09-26

▶

OSV

openssl regression↗2016-09-23

▶

OSV

openssl vulnerabilities↗2016-09-22

▶

📋Vendor Advisories

Apple

CVE-2016-6304: macOS Sierra 10.12.2, Security Update 2016-003 El Capitan, and Security Update 2016-007 Yosemite↗2016-12-13

▶

Cisco

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016↗2016-09-27

▶

BSD

FreeBSD-SA-16:26.openssl: Multiple OpenSSL vulnerabilities↗2016-09-23

▶

Red Hat

openssl: OCSP Status Request extension unbounded memory growth↗2016-09-22

▶

Ubuntu

OpenSSL vulnerabilities↗2016-09-22

▶

💬Community

HackerOne

OCSP Status Request extension unbounded memory growth (CVE-2016-6304)↗2017-04-12

▶

Bugzilla

CVE-2016-6304 CVE-2016-6306 openssl: various flaws [fedora-all]↗2016-09-22

▶

Bugzilla

CVE-2016-6304 CVE-2016-6306 openssl101e: various flaws [epel-5]↗2016-09-22

▶

Bugzilla

CVE-2016-6304 CVE-2016-6306 mingw-openssl: various flaws [fedora-all]↗2016-09-22

▶

Bugzilla

CVE-2016-6304 CVE-2016-6306 mingw-openssl: various flaws [epel-7]↗2016-09-22

▶