CVE-2016-6304

high-risk
Published 2016-09-26

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

Do I need to act?

!
18.0% chance of exploitation in next 30 days
EPSS score — higher than 82% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (20)

Affected Vendors

Novell Nodejs Openssl

References (124)

Third Party Advisory http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00021.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00027.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00032.html
Third Party Advisory http://packetstormsecurity.com/files/139091/OpenSSL-x509-Parsing-Double-Free-Inv...
Third Party Advisory http://rhn.redhat.com/errata/RHSA-2016-1940.html
Third Party Advisory http://rhn.redhat.com/errata/RHSA-2016-2802.html
Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-1415.html
and 104 more references
63
/ 100
high-risk
Severity 26/34 · High
Exploitability 13/34 · Low
Exposure 24/34 · High