OpenSSL X509_NAME_oneline Function Denial of Service Vulnerability (CVE-2016-2176)

OpenSSL X509_NAME_oneline Function Denial of Service Vulnerability (CVE-2016-2176)
OpenSSL X509_NAME_oneline Function Denial of Service Vulnerability (CVE-2016-2176)

Release date:
Updated on:

Affected Systems:

OpenSSL Project OpenSSL 1.0.2
OpenSSL Project OpenSSL 1.0.1

Unaffected system:

OpenSSL Project OpenSSL 1.0.2h
OpenSSL Project OpenSSL 1.0.1t

Description:

CVE (CAN) ID: CVE-2016-2176

OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.

In some OpenSSL versions, the X509_NAME_oneline function in crypto/x509/x509_obj.c has a security vulnerability. By constructing EBCDIC ASN.1 data, remote attackers can obtain sensitive information about the process memory or cause DOS.

<* Source: Guido Vranken

Link: https://www.openssl.org/news/secadv/20160503.txt
*>

Suggestion:

Vendor patch:

OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (20160503) and corresponding patches for this purpose:

Upgrade OpenSSL 1.0.2 to 1.0.2h
Upgrade OpenSSL 1.0.1 to 1.0.1t
20160503: OpenSSL Security Advisory [3rd May 2016]
Link: https://www.openssl.org/news/secadv/20160503.txt

For more information about OpenSSL, see the following links:

Use OpenSSL command line to build CA and Certificate

Install OpenSSL in Ubuntu

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.

Use OpenSSL to generate certificates in Linux

Use OpenSSL to sign multi-domain certificates

Add a custom encryption algorithm to OpenSSL

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: