CVE-2016-8212

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in EMC RSA BSAFE Crypto-J versions prior to 6.2.2. There is an Improper OCSP Validation Vulnerability. OCSP responses have two time values: thisUpdate and nextUpdate. These specify a validity period; however, both values are optional. Crypto-J treats the lack of a nextUpdate as indicating that the OCSP response is valid indefinitely instead of restricting its validity for a brief period surrounding the thisUpdate time. This vulnerability is similar to the issue described in CVE-2015-4748.

Se descubrió un problema en las versiones de EMC RSA BSAFE Crypto-J anteriores a 6.2.2. Hay una Vulnerabilidad de validación OCSP incorrecta. Las respuestas OCSP tienen dos valores de tiempo: thisUpdate y nextUpdate. Éstos especifican un período de validez; Sin embargo, ambos valores son opcionales. Crypto-J trata la falta de un nextUpdate como indicando que la respuesta OCSP es válida indefinidamente en lugar de restringir su validez durante un breve período que rodea el tiempo thisUpdate. Esta vulnerabilidad es similar al problema descrito en CVE-2015-4748.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-09-13 CVE Reserved
2017-01-28 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-404: Improper Resource Shutdown or Release

CAPEC

References (3)

URL	Tag	Source
http://www.securityfocus.com/archive/1/540066/30/0/threaded	Mailing List
http://www.securityfocus.com/bid/95831	Third Party Advisory
http://www.securitytracker.com/id/1037732	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Dell Search vendor "Dell"		Bsafe Crypto-j Search vendor "Dell" for product "Bsafe Crypto-j"				< 6.2.2 Search vendor "Dell" for product "Bsafe Crypto-j" and version " < 6.2.2"		-		Affected