CVE-2016-2109

Public on 2016-05-03

Modified on 2016-05-03

Description

A denial of service flaw was found in the way OpenSSL parsed certain ASN.1-encoded data from BIO (OpenSSL's I/O abstraction) inputs. An application using OpenSSL that accepts untrusted ASN.1 BIO input could be forced to allocate an excessive amount of data.

Severity

Low

CVSS v3 Base Score

4.0

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 1	openssl	2016-05-03	ALAS-2016-695	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv2	1.9	AV:L/AC:M/Au:N/C:N/I:N/A:P
Amazon Linux	CVSSv3	4.0	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
NVD	CVSSv3	7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD	CVSSv2	7.8	AV:N/AC:L/Au:N/C:N/I:N/A:C

References

Red Hat: CVE-2016-2109 Mitre: CVE-2016-2109