// For flags

CVE-2016-6304

openssl: OCSP Status Request extension unbounded memory growth

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

Múltiples fugas de memoria en t1_lib.c en OpenSSL en versiones anteriores a 1.0.1u, 1.0.2 en versiones anteriores a 1.0.2i y 1.1.0 en versiones anteriores a 1.1.0a permiten a atacantes remotos provocar una denegación de servicio (consumo de memoria) a través de grandes extensiones OCSP Status Request

A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support.

USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem. Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue has only been addressed in Ubuntu 16.04 LTS in this update. CAsar Pereida, Billy Brumley, and Yuval Yarom discovered that OpenSSL did not properly use constant-time operations when performing DSA signing. A remote attacker could possibly use this issue to perform a cache-timing attack and recover private DSA keys. Quan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. Shi Lei discovered that OpenSSL incorrectly handled memory in the TS_OBJ_print_bio function. A remote attacker could possibly use this issue to cause a denial of service. It was discovered that the OpenSSL incorrectly handled the DTLS anti-replay feature. A remote attacker could possibly use this issue to cause a denial of service. Various other issues were also addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Complete
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-07-26 CVE Reserved
  • 2016-09-22 CVE Published
  • 2016-10-11 First Exploit
  • 2024-08-06 CVE Updated
  • 2025-05-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-400: Uncontrolled Resource Consumption
  • CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
References (65)
URL Tag Source
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759 Third Party Advisory
http://packetstormsecurity.com/files/139091/OpenSSL-x509-Parsing-Double-Free-Invalid-Free.html Third Party Advisory
http://seclists.org/fulldisclosure/2016/Dec/47 Mailing List
http://seclists.org/fulldisclosure/2016/Oct/62 Mailing List
http://seclists.org/fulldisclosure/2017/Jul/31 Mailing List
http://www-01.ibm.com/support/docview.wss?uid=swg21995039 Third Party Advisory
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170322-01-openssl-en Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html Third Party Advisory
http://www.securityfocus.com/bid/93150 Third Party Advisory
http://www.securitytracker.com/id/1036878 Third Party Advisory
http://www.securitytracker.com/id/1037640 Third Party Advisory
http://www.splunk.com/view/SP-CAAAPSV Third Party Advisory
http://www.splunk.com/view/SP-CAAAPUE Third Party Advisory
https://bto.bluecoat.com/security-advisory/sa132 Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=2c0d295e26306e15a92eb23a84a1802005c1c137
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40312 Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10171 Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10215 Third Party Advisory
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases Third Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/1749-security-advisory-24 Third Party Advisory
https://www.tenable.com/security/tns-2016-16 Third Party Advisory
https://www.tenable.com/security/tns-2016-20 Third Party Advisory
https://www.tenable.com/security/tns-2016-21 Third Party Advisory
URL Date SRC
https://packetstorm.news/files/id/139091 2016-10-11
URL Date SRC
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html 2023-11-07
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html 2023-11-07
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html 2023-11-07
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html 2023-11-07
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html 2023-11-07
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00021.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00027.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00032.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2016-1940.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2016-2802.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-1415.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2017-1659.html 2023-11-07
http://www.debian.org/security/2016/dsa-3673 2023-11-07
http://www.ubuntu.com/usn/USN-3087-1 2023-11-07
http://www.ubuntu.com/usn/USN-3087-2 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1413 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1414 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1658 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1801 2023-11-07
https://access.redhat.com/errata/RHSA-2017:1802 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2493 2023-11-07
https://access.redhat.com/errata/RHSA-2017:2494 2023-11-07
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.asc 2023-11-07
https://security.gentoo.org/glsa/201612-16 2023-11-07
https://www.openssl.org/news/secadv/20160922.txt 2023-11-07
https://access.redhat.com/security/cve/CVE-2016-6304 2017-08-21
https://bugzilla.redhat.com/show_bug.cgi?id=1377600 2017-08-21
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2
Search vendor "Openssl" for product "Openssl" and version "1.0.2"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2
Search vendor "Openssl" for product "Openssl" and version "1.0.2"
beta1
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2
Search vendor "Openssl" for product "Openssl" and version "1.0.2"
beta2
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2
Search vendor "Openssl" for product "Openssl" and version "1.0.2"
beta3
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2a
Search vendor "Openssl" for product "Openssl" and version "1.0.2a"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2b
Search vendor "Openssl" for product "Openssl" and version "1.0.2b"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2c
Search vendor "Openssl" for product "Openssl" and version "1.0.2c"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2d
Search vendor "Openssl" for product "Openssl" and version "1.0.2d"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2e
Search vendor "Openssl" for product "Openssl" and version "1.0.2e"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2f
Search vendor "Openssl" for product "Openssl" and version "1.0.2f"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.2h
Search vendor "Openssl" for product "Openssl" and version "1.0.2h"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.1.0
Search vendor "Openssl" for product "Openssl" and version "1.1.0"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1
Search vendor "Openssl" for product "Openssl" and version "1.0.1"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1
Search vendor "Openssl" for product "Openssl" and version "1.0.1"
beta1
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1
Search vendor "Openssl" for product "Openssl" and version "1.0.1"
beta2
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1
Search vendor "Openssl" for product "Openssl" and version "1.0.1"
beta3
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1a
Search vendor "Openssl" for product "Openssl" and version "1.0.1a"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1b
Search vendor "Openssl" for product "Openssl" and version "1.0.1b"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1c
Search vendor "Openssl" for product "Openssl" and version "1.0.1c"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1d
Search vendor "Openssl" for product "Openssl" and version "1.0.1d"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1e
Search vendor "Openssl" for product "Openssl" and version "1.0.1e"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1f
Search vendor "Openssl" for product "Openssl" and version "1.0.1f"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1g
Search vendor "Openssl" for product "Openssl" and version "1.0.1g"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1h
Search vendor "Openssl" for product "Openssl" and version "1.0.1h"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1i
Search vendor "Openssl" for product "Openssl" and version "1.0.1i"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1j
Search vendor "Openssl" for product "Openssl" and version "1.0.1j"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1k
Search vendor "Openssl" for product "Openssl" and version "1.0.1k"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1l
Search vendor "Openssl" for product "Openssl" and version "1.0.1l"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1m
Search vendor "Openssl" for product "Openssl" and version "1.0.1m"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1n
Search vendor "Openssl" for product "Openssl" and version "1.0.1n"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1o
Search vendor "Openssl" for product "Openssl" and version "1.0.1o"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1p
Search vendor "Openssl" for product "Openssl" and version "1.0.1p"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1q
Search vendor "Openssl" for product "Openssl" and version "1.0.1q"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1r
Search vendor "Openssl" for product "Openssl" and version "1.0.1r"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1s
Search vendor "Openssl" for product "Openssl" and version "1.0.1s"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1t
Search vendor "Openssl" for product "Openssl" and version "1.0.1t"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 0.10.0 < 0.10.47
Search vendor "Nodejs" for product "Node.js" and version " >= 0.10.0 < 0.10.47"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 0.12.0 < 0.12.16
Search vendor "Nodejs" for product "Node.js" and version " >= 0.12.0 < 0.12.16"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 4.0.0 < 4.6.0
Search vendor "Nodejs" for product "Node.js" and version " >= 4.0.0 < 4.6.0"
-
Affected
Nodejs
Search vendor "Nodejs"
 Node.js
Search vendor "Nodejs" for product "Node.js"
 >= 6.0.0 < 6.7.0
Search vendor "Nodejs" for product "Node.js" and version " >= 6.0.0 < 6.7.0"
-
Affected
Novell
Search vendor "Novell"
 Suse Linux Enterprise Module For Web Scripting
Search vendor "Novell" for product "Suse Linux Enterprise Module For Web Scripting"
 12.0
Search vendor "Novell" for product "Suse Linux Enterprise Module For Web Scripting" and version "12.0"
-
Affected