CVE-2016-4008
First published: Thu May 05 2016(Updated: )
The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.10 | |
| Ubuntu | =16.04 | |
| openSUSE | =13.2 | |
| Libtasn1 | <=4.7 | |
| Red Hat Fedora | =22 | |
| Red Hat Fedora | =23 | |
| Red Hat Fedora | =24 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=a6e0a0b58f5cdaf4e9beca5bce69c09808cbb625
- http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=f435825c0f527a8e52e6ffbc3ad0bc60531d537e
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182299.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182907.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183221.html
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00047.html
- http://lists.opensuse.org/opensuse-updates/2016-06/msg00097.html
- http://www.debian.org/security/2016/dsa-3568
- http://www.openwall.com/lists/oss-security/2016/04/11/3
- http://www.ubuntu.com/usn/USN-2957-1
- http://www.ubuntu.com/usn/USN-2957-2
- https://lists.gnu.org/archive/html/help-libtasn1/2016-04/msg00009.html
- https://security.gentoo.org/glsa/201703-05
- http://git.savannah.gnu.org/gitweb/?p=libtasn1.git%3Ba=commit%3Bh=a6e0a0b58f5cdaf4e9beca5bce69c09808cbb625
- http://git.savannah.gnu.org/gitweb/?p=libtasn1.git%3Ba=commit%3Bh=f435825c0f527a8e52e6ffbc3ad0bc60531d537e
Frequently Asked Questions
What is the severity of CVE-2016-4008?
CVE-2016-4008 is categorized as a denial of service vulnerability.
How do I fix CVE-2016-4008?
To fix CVE-2016-4008, update the libtasn1 library to version 4.8 or later and ensure the ASN1_DECODE_FLAG_STRICT_DER flag is used.
Which software versions are affected by CVE-2016-4008?
CVE-2016-4008 affects various versions of GNU Libtasn1 prior to 4.8 and multiple versions of Ubuntu, Fedora, and openSUSE.
What type of attack is possible with CVE-2016-4008?
CVE-2016-4008 allows remote attackers to cause a denial of service through infinite recursion when processing crafted certificates.
Is there a patch available for CVE-2016-4008?
Yes, patches for CVE-2016-4008 are available in the updated versions of the affected software.
- agent/type
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.10
- version/ubuntu/16.04
- vendor/opensuse
- canonical/opensuse
- version/opensuse/13.2
- vendor/gnu
- canonical/libtasn1
- version/libtasn1/4.7
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/22
- version/red hat fedora/23
- version/red hat fedora/24