CVE-2016-0797: Integer Overflow
First published: Thu Feb 25 2016(Updated: )
As per Upstream advisory: In the BN_hex2bn function the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. All OpenSSL internal usage of these functions use data that is not expected to be untrusted, e.g. config file data or application command line arguments. If user developed applications generate config file data based on untrusted data then it is possible that this could also lead to security consequences. This is also anticipated to be rare. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on February 19th 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openssl | <1.0.1 | 1.0.1 |
| redhat/openssl | <1.0.2 | 1.0.2 |
| OpenSSL libcrypto | =1.0.1 | |
| OpenSSL libcrypto | =1.0.1-beta1 | |
| OpenSSL libcrypto | =1.0.1-beta2 | |
| OpenSSL libcrypto | =1.0.1-beta3 | |
| OpenSSL libcrypto | =1.0.1a | |
| OpenSSL libcrypto | =1.0.1b | |
| OpenSSL libcrypto | =1.0.1c | |
| OpenSSL libcrypto | =1.0.1d | |
| OpenSSL libcrypto | =1.0.1e | |
| OpenSSL libcrypto | =1.0.1f | |
| OpenSSL libcrypto | =1.0.1g | |
| OpenSSL libcrypto | =1.0.1h | |
| OpenSSL libcrypto | =1.0.1i | |
| OpenSSL libcrypto | =1.0.1j | |
| OpenSSL libcrypto | =1.0.1k | |
| OpenSSL libcrypto | =1.0.1l | |
| OpenSSL libcrypto | =1.0.1m | |
| OpenSSL libcrypto | =1.0.1n | |
| OpenSSL libcrypto | =1.0.1o | |
| OpenSSL libcrypto | =1.0.1p | |
| OpenSSL libcrypto | =1.0.1q | |
| OpenSSL libcrypto | =1.0.1r | |
| OpenSSL libcrypto | =1.0.2 | |
| OpenSSL libcrypto | =1.0.2-beta1 | |
| OpenSSL libcrypto | =1.0.2-beta2 | |
| OpenSSL libcrypto | =1.0.2-beta3 | |
| OpenSSL libcrypto | =1.0.2a | |
| OpenSSL libcrypto | =1.0.2b | |
| OpenSSL libcrypto | =1.0.2c | |
| OpenSSL libcrypto | =1.0.2d | |
| OpenSSL libcrypto | =1.0.2e | |
| OpenSSL libcrypto | =1.0.2f | |
| Node.js | >=4.0.0<4.1.2 | |
| Node.js | >=4.2.0<4.3.2 | |
| Node.js | >=5.0.0<5.7.1 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.10 | |
| Debian | =7.0 | |
| Debian | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.openssl.org/?p=openssl.git;a=commitdiff;h=99ba9fd02fd481eb971023a3a0a251a37eb87e4c
- https://www.openssl.org/news/secadv/20160301.txt
- https://rhn.redhat.com/errata/RHSA-2016-0302.html
- https://rhn.redhat.com/errata/RHSA-2016-0301.html
- https://rhn.redhat.com/errata/RHSA-2016-0379.html
- https://rhn.redhat.com/errata/RHSA-2016-2957.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1311880
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html
- http://marc.info/?l=bugtraq&m=145889460330120&w=2
- http://openssl.org/news/secadv/20160301.txt
- http://rhn.redhat.com/errata/RHSA-2016-2957.html
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
- http://www.debian.org/security/2016/dsa-3500
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
- http://www.securityfocus.com/bid/83763
- http://www.securityfocus.com/bid/91787
- http://www.securitytracker.com/id/1035133
- http://www.ubuntu.com/usn/USN-2914-1
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/?p=openssl.git;a=commit;h=c175308407858afff3fc8c2e5e085d94d12edc7d
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03741en_us
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05052990
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168
- https://kc.mcafee.com/corporate/index?page=content&id=SB10156
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc
- https://security.gentoo.org/glsa/201603-15
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=c175308407858afff3fc8c2e5e085d94d12edc7d
Frequently Asked Questions
What is the severity of CVE-2016-0797?
CVE-2016-0797 has been assigned a severity rating of high due to the potential for denial of service.
How do I fix CVE-2016-0797?
To fix CVE-2016-0797, upgrade your OpenSSL package to version 1.0.1t or 1.0.2d and later.
Which versions of OpenSSL are affected by CVE-2016-0797?
CVE-2016-0797 affects OpenSSL versions 1.0.1 through 1.0.1s and version 1.0.2 through 1.0.2c.
What is the impact of CVE-2016-0797?
The impact of CVE-2016-0797 is that it can lead to denial of service due to memory allocation issues.
Is there any workaround for CVE-2016-0797 if I cannot upgrade OpenSSL?
While the best practice is to upgrade, there are no effective workarounds recommended for CVE-2016-0797.
- collector/redhat-bugzilla
- alias/CVE-2016-0797
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/author
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/openssl
- canonical/openssl libcrypto
- version/openssl libcrypto/1.0.1
- version/openssl libcrypto/1.0.1-beta1
- version/openssl libcrypto/1.0.1-beta2
- version/openssl libcrypto/1.0.1-beta3
- version/openssl libcrypto/1.0.1a
- version/openssl libcrypto/1.0.1b
- version/openssl libcrypto/1.0.1c
- version/openssl libcrypto/1.0.1d
- version/openssl libcrypto/1.0.1e
- version/openssl libcrypto/1.0.1f
- version/openssl libcrypto/1.0.1g
- version/openssl libcrypto/1.0.1h
- version/openssl libcrypto/1.0.1i
- version/openssl libcrypto/1.0.1j
- version/openssl libcrypto/1.0.1k
- version/openssl libcrypto/1.0.1l
- version/openssl libcrypto/1.0.1m
- version/openssl libcrypto/1.0.1n
- version/openssl libcrypto/1.0.1o
- version/openssl libcrypto/1.0.1p
- version/openssl libcrypto/1.0.1q
- version/openssl libcrypto/1.0.1r
- version/openssl libcrypto/1.0.2
- version/openssl libcrypto/1.0.2-beta1
- version/openssl libcrypto/1.0.2-beta2
- version/openssl libcrypto/1.0.2-beta3
- version/openssl libcrypto/1.0.2a
- version/openssl libcrypto/1.0.2b
- version/openssl libcrypto/1.0.2c
- version/openssl libcrypto/1.0.2d
- version/openssl libcrypto/1.0.2e
- version/openssl libcrypto/1.0.2f
- vendor/nodejs
- canonical/node.js
- version/node.js/4.0.0
- version/node.js/4.2.0
- version/node.js/5.0.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.10
- vendor/debian
- canonical/debian
- version/debian/7.0
- version/debian/8.0