CVE-2016-8610

critical-risk

Published 2017-11-13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

Do I need to act?

71.1% chance of exploitation in next 30 days

EPSS score — higher than 29% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Openssl

Debian Linux

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Server Tus

Enterprise Linux Workstation

Jboss Enterprise Application Platform

E-Series Santricity Os Controller

Host Agent

Oncommand Balance

Oncommand Unified Manager

Oncommand Workflow Automation

Ontap Select Deploy

Affected Vendors

Paloaltonetworks Oracle Debian Redhat Netapp Fujitsu Openssl

References (56)

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0286.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-0574.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-1415.html

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-1659.html

Mailing List http://seclists.org/oss-sec/2016/q4/224

Third Party Advisory http://www.securityfocus.com/bid/93841

Third Party Advisory http://www.securitytracker.com/id/1037084

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:1413

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:1414

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:1658

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:1801

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:1802

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2493

Third Party Advisory https://access.redhat.com/errata/RHSA-2017:2494

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610

Broken Link https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f785...

Third Party Advisory https://security.360.cn/cve/CVE-2016-8610/

Third Party Advisory https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc

Third Party Advisory https://security.netapp.com/advisory/ntap-20171130-0001/

Third Party Advisory https://security.paloaltonetworks.com/CVE-2016-8610

and 36 more references

/ 100

critical-risk

Severity 26/34 · High

Exploitability 19/34 · Moderate

Exposure 28/34 · Critical