Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMA4A418292F5C5C8C80C46DB9A7FF897A7DB5320DB9C8485519CA65DBA2E6C7C7
HistoryJun 16, 2018 - 9:49 p.m.

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Controller (CVE-2016-6304, CVE-2016-6303, CVE-2016-6308, CVE-2016-2181, CVE-2016-6309, CVE-2016-7052 )

2018-06-1621:49:05
www.ibm.com
11

EPSS

0.911

Percentile

98.9%

JSON

Summary

OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. OpenSSL is used by IBM Security Network Controller. IBM Security Network Controller has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-6304**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by multiple memory leaks in t1_lib.c during session renegotiation. By sending an overly large OCSP Status Request extension, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117110 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-6303**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an integer overflow in the MDC2_Update function. By using unknown attack vectors, a remote attacker could exploit this vulnerability to trigger an out-of-bounds write and cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117023 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-6308**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a memory allocation error in dtls1_preprocess_fragment() prior to the excessive message length check. By initiating multiple connection attempts, a remote authenticated attacker could send an overly large DTLS message to exhaust all available memory resources.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117114 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2181**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error in the DTLS replay protection implementation. By sending a specially crafted sequence number, a remote attacker could exploit this vulnerability to cause valid packets to be dropped.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116344 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-6309**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a use-after-free when handling message sizes. By sending an overly large message, a remote attacker could exploit this vulnerability to possibly execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117148 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-7052**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by a missing CRL sanity check. By attempting to use CRLs, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117149 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Security Network Controller 1.0.X

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
β€”|β€”|β€”
IBM Security Network Controller| 1.0.X| Proventia NSC update 15 (fw 1.0.4100) ** IBM Security Network Controller**| 1.0.X| Proventia NSC update 15 (fw 1.0.4100M)

For IBM Security Network Controller products at Firmware versions 1.X, IBM recommends upgrading to 1.0.4100M/1.0.4100 depending on current firmware installed. Update 1.0.4100M and 1.0.4100 are the supported firmware release of the product.

Workarounds and Mitigations

None

Related

ibm 40
nessus 27
freebsd 2
symantec 1
openvas 21
cisco 1
huawei 1
altlinux 9
f5 11
malwarebytes 1
redhatcve 5
openssl 5
checkpoint_advisories 2
nvd 6
prion 6
ubuntucve 6
cvelist 6
arista 1
debiancve 6
cve 6
alpinelinux 4
archlinux 2
freebsd_advisory 2
slackware 2
osv 4
aix 1
zdt 1
fortinet 1
veracode 4
hackerone 3
redhat 1
fedora 3
mageia 2
cloudfoundry 1
suse 4
ubuntu 1
ibm
ibm
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Security Network Active Bypass (CVE-2016-6304, CVE-2016-6303, CVE-2016-2181, CVE-2016-6309, CVE-2016-7052 )
2018-06-16 21:49:05
Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center)
2022-02-22 19:27:34
Security Bulletin: Vulnerabilities in OpenSSL affect IBM Service Delivery Manager
2018-06-17 22:33:19
nessus
nessus
FreeBSD : OpenSSL -- multiple vulnerabilities (91a337d8-83ed-11e6-bf52-b499baebfeaf)
2016-09-27 00:00:00
Tenable Nessus 6.x < 6.9 Multiple Vulnerabilities (TNS-2016-16) (SWEET32)
2017-02-15 00:00:00
Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (April 2017 CPU) (SWEET32)
2017-04-21 00:00:00
freebsd
freebsd
OpenSSL -- multiple vulnerabilities
2016-09-26 00:00:00
OpenSSL -- multiple vulnerabilities
2016-09-22 00:00:00
symantec
symantec
SA132 : OpenSSL Vulnerabilities 22-Sep-2016 and 26-Sep-2016
2016-10-06 08:00:00
openvas
openvas
Juniper Networks Junos OS Multiple OpenSSL Vulnerabilities
2016-10-14 00:00:00
Huawei Data Communication: Sixteen OpenSSL Vulnerabilities on Some Huawei products (huawei-sa-20170322-01-openssl)
2020-06-05 00:00:00
OpenSSL 1.1.0a Use-After-Free Fix Vulnerability - Windows
2016-09-26 00:00:00
cisco
cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016
2016-09-27 22:40:00
huawei
huawei
Security Advisory - Sixteen OpenSSL Vulnerabilities on Some Huawei products
2017-03-22 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 9 package openssl1.1 version 1.0.2j-alt1
2016-09-26 00:00:00
Security fix for the ALT Linux 8 package openssl10 version 1.0.2j-alt1
2016-09-26 00:00:00
Security fix for the ALT Linux 10 package openssl1.1 version 1.0.2j-alt1
2016-09-26 00:00:00
f5
f5
SOL42219132 - OpenSSL vulnerability CVE-2016-6309
2016-10-10 00:00:00
K42219132 : OpenSSL vulnerability CVE-2016-6309
2016-10-10 00:00:00
K39272405 : OpenSSL vulnerability CVE-2016-7052
2016-10-10 00:00:00
malwarebytes
malwarebytes
Critical OpenSSL fix due Nov 1β€”what you need to know
2022-10-27 15:00:00
redhatcve
redhatcve
CVE-2016-6308
2016-09-22 15:47:44
CVE-2016-6309
2016-09-26 10:42:01
CVE-2016-7052
2016-09-26 11:17:23
openssl
openssl
Vulnerability in OpenSSL - Excessive allocation of memory in dtls1_preprocess_fragment()
2016-09-21 00:00:00
Vulnerability in OpenSSL - Missing CRL sanity check
2016-09-26 00:00:00
Vulnerability in OpenSSL - OOB write in MDC2_Update()
2016-08-24 00:00:00
checkpoint_advisories
checkpoint_advisories
OpenSSL tls_get_message_body Function init_msg Structure Use After Free (CVE-2016-6309)
2016-12-06 00:00:00
OpenSSL OCSP Extension Unbounded Memory Denial of Service (CVE-2016-6304)
2016-09-22 00:00:00
nvd
nvd
CVE-2016-6308
2016-09-26 19:59:05
CVE-2016-6309
2016-09-26 19:59:06
CVE-2016-7052
2016-09-26 19:59:07
prion
prion
Design/Logic Flaw
2016-09-26 19:59:00
Code injection
2016-09-26 19:59:00
Null pointer dereference
2016-09-26 19:59:00
ubuntucve
ubuntucve
CVE-2016-6308
2016-09-26 00:00:00
CVE-2016-6309
2016-09-26 00:00:00
CVE-2016-6304
2016-09-22 00:00:00
cvelist
cvelist
CVE-2016-6308
2016-09-26 00:00:00
CVE-2016-6309
2016-09-26 19:00:00
CVE-2016-7052
2016-09-26 19:00:00
arista
arista
Security Advisory 0024
2016-10-04 00:00:00
debiancve
debiancve
CVE-2016-6309
2016-09-26 19:59:06
CVE-2016-6308
2016-09-26 19:59:05
CVE-2016-7052
2016-09-26 19:59:07
cve
cve
CVE-2016-6309
2016-09-26 19:59:06
CVE-2016-6308
2016-09-26 19:59:05
CVE-2016-7052
2016-09-26 19:59:07
alpinelinux
alpinelinux
CVE-2016-7052
2016-09-26 19:59:07
CVE-2016-6303
2016-09-16 05:59:13
CVE-2016-6304
2016-09-26 19:59:00
archlinux
archlinux
[ASA-201609-30] openssl: denial of service
2016-09-28 00:00:00
[ASA-201609-28] lib32-openssl: denial of service
2016-09-27 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:27.openssl
2016-10-10 00:00:00
FreeBSD-SA-16:26.openssl
2016-09-23 00:00:00
slackware
slackware
[slackware-security] openssl
2016-09-26 18:59:48
[slackware-security] openssl
2016-09-22 18:53:12
osv
osv
CVE-2016-6303
2016-09-16 05:59:00
CVE-2016-2181
2016-09-16 05:59:00
CVE-2016-6304
2016-09-26 19:59:00
aix
aix
Vulnerabilities in OpenSSL affect AIX
2016-11-14 13:29:26
zdt
zdt
OpenSSL OCSP Status Request Extension Unbounded Memory Growth Vulnerability
2016-10-21 00:00:00
fortinet
fortinet
OpenSSL Security Advisory [22 Sept 2016]
2017-04-03 00:00:00
veracode
veracode
Denial Of Service (DoS) Via Integer Overflow
2017-01-26 02:40:18
Denial Of Service (DoS)
2017-01-26 01:52:41
Denial Of Service (DoS)
2017-01-26 06:11:40
hackerone
hackerone
Internet Bug Bounty: OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
2017-03-29 01:24:57
Internet Bug Bounty: OOB write in MDC2_Update() (CVE-2016-6303)
2017-04-18 07:33:24
Internet Bug Bounty: Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)
2017-04-18 07:42:44
redhat
redhat
(RHSA-2016:2802) Important: openssl security update
2016-11-17 12:52:35
fedora
fedora
[SECURITY] Fedora 25 Update: openssl-1.0.2j-1.fc25
2016-10-09 03:28:42
[SECURITY] Fedora 24 Update: openssl-1.0.2j-1.fc24
2016-09-28 01:57:16
[SECURITY] Fedora 23 Update: openssl-1.0.2j-1.fc23
2016-10-11 23:24:05
mageia
mageia
Updated virtualbox packages fixes security vulnerabilities
2016-12-06 00:49:27
Updated openssl packages fix security vulnerabilities
2016-10-12 01:12:20
cloudfoundry
cloudfoundry
USN-3087-2 OpenSSL Regression | Cloud Foundry
2016-09-28 00:00:00
suse
suse
Security update for compat-openssl098 (important)
2016-10-06 20:09:29
Security update for openssl (important)
2016-10-05 18:09:41
Security update for compat-openssl098 (important)
2016-10-14 15:09:07
ubuntu
ubuntu
OpenSSL regression
2016-09-23 00:00:00

EPSS

0.911

Percentile

98.9%

JSON
Related for A4A418292F5C5C8C80C46DB9A7FF897A7DB5320DB9C8485519CA65DBA2E6C7C7
ibm40nessus27freebsd2symantec1openvas21cisco1huawei1altlinux9f511malwarebytes1redhatcve5openssl5checkpoint_advisories2nvd6prion6ubuntucve6cvelist6arista1debiancve6cve6alpinelinux4archlinux2freebsd_advisory2slackware2osv4aix1zdt1fortinet1veracode4hackerone3redhat1fedora3mageia2cloudfoundry1suse4ubuntu1