CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
99.7%
On May 3, 2016, the OpenSSL Software Foundation released a security advisory that included six vulnerabilities. Of the six vulnerabilities disclosed, four of them may cause memory corruption or excessive memory usage, one could allow a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI, and, lastly, one is specific to a product performing an operation with_ _Extended Binary Coded Decimal Interchange Code (EBCDIC) encoding.
1.OpenSSL Untrusted ASN.1 Structures Out-of-Bounds Write Vulnerability. A vulnerability in the ASN.1 encoder in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. (Vulnerability ID: HWPSIRT-2016-05002)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-2108.
**2.**OpenSSL AES CBC Cipher Man-in-the-Middle Vulnerability. A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to decrypt and access sensitive information. (Vulnerability ID: HWPSIRT-2016-05261)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-2107.
**3.**OpenSSL EVP_EncryptUpdate Function Overflow Heap Corruption Vulnerability. A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition on a targeted system. (Vulnerability ID: HWPSIRT-2016-05262)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-2106.
4.OpenSSL EVP_EncodeUpdate Function Overflow Vulnerability. A vulnerability in the EVP_EncodeUpdate() function in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition. (Vulnerability ID: HWPSIRT-2016-05263)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-2105.
**5.**OpenSSL d2i_CMS_bio Function Denial of Service Vulnerability. A vulnerability in OpenSSL could allow a local attacker to cause a denial of service (DoS) condition on a targeted system. (Vulnerability ID: HWPSIRT-2016-05264)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-2109.
**6.OpenSSL ASN.1 Strings X509_NAME_oneline Function Overread Vulnerability.******A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to gain access to sensitive information on a targeted system. (Vulnerability ID: HWPSIRT-2016-05265)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-2176.
Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160706-01-openssl-en
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
99.7%