{"id": "KLA10888", "bulletinFamily": "info", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "published": "2016-10-19T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "reporter": "Kaspersky Lab", "references": [], "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "type": "kaspersky", "lastseen": "2018-11-16T08:22:55", "history": [{"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 14, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "1941ee2a42b5ecae994964572eed320b107e97ddbbf3ea2a4b94e225e620a8f7", "hashmap": [{"hash": "7f86b488cde79959076c92cafc9748f6", "key": "modified"}, {"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-09-13T06:47:40", "modified": "2018-09-10T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 15}, "differentElements": ["modified"], "edition": 14, "lastseen": "2018-09-13T06:47:40"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 12, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "bd9ec020625ba8b76f2c355fc7a19884d36009e10e7cba168990992484f0c9c1", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "464857d7b87b7b905e79b99c78b7d97a", "key": "modified"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-08-31T02:40:21", "modified": "2018-08-17T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 14}, "differentElements": ["modified"], "edition": 12, "lastseen": "2018-08-31T02:40:21"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 17, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "ba61abbb8573ff5e2f9e543421bafad2bec956b0b68cb37460dd135082fe16fd", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8be90a922e3fddc17514b9fd17f39e9b", "key": "modified"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-10-12T12:03:49", "modified": "2018-10-12T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 18}, "differentElements": ["modified"], "edition": 17, "lastseen": "2018-10-12T12:03:49"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 23, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "2cf9aa9b273ceffcf1a783ce960e63085cf54475255227fba3e6cd7f5a9f9613", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "b1b97b93dd9db2b9d4b1c813cb8e2856", "key": "modified"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-11-14T14:42:24", "modified": "2018-11-06T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 20}, "differentElements": ["modified"], "edition": 23, "lastseen": "2018-11-14T14:42:24"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox-2/>)\n\n### *CVE-IDS*:\n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 6, "enchantments": {"score": {"modified": "2018-01-22T17:22:46", "value": 6.5}}, "hash": "831c5673ea379b05dbe4ed8a07603d51d987300430256116742b7fc463b34b66", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "f73537294a413783ee6a88308a25e8c1", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "1d731490b777bc15c5d9375993128995", "key": "modified"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "8cbac3b9969bcf6c6747a5ab07d21d5a", "key": "description"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-01-22T17:22:46", "modified": "2016-10-26T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888\nMultiple vulnerabilities in Oracle VM VirtualBox\t\t\t ", "type": "kaspersky", "viewCount": 5}, "differentElements": ["title"], "edition": 6, "lastseen": "2018-01-22T17:22:46"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 8, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "f28f67bebf5e49d4921b156f6e87fe19f09499ab5b80a22eb632b18d9c709e8e", "hashmap": [{"hash": "5794ba7fe261eb70f198fc55c62ba08b", "key": "description"}, {"hash": "df2e24c1f618fcff69ba2210c61e5e60", "key": "title"}, {"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "1d731490b777bc15c5d9375993128995", "key": "modified"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-03-30T14:11:55", "modified": "2016-10-26T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox\t\t\t ", "type": "kaspersky", "viewCount": 7}, "differentElements": ["modified", "title"], "edition": 8, "lastseen": "2018-03-30T14:11:55"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 20, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "9093b93e65571746fd2f7bb1cd2ba62ad8a3d4a9d1a62045fe5c4c9955fafa3f", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c45965f448762320ac763ead6d918fd2", "key": "modified"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-11-06T14:33:52", "modified": "2018-10-29T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 20}, "differentElements": ["modified"], "edition": 20, "lastseen": "2018-11-06T14:33:52"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n6.5\n\n### *Detect date*:\n10/18/2016\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox-2/>)\n\n### *CVE-IDS*:\n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 4, "enchantments": {"score": {"modified": "2017-12-19T15:09:49", "value": 6.5}}, "hash": "a2fa2582266355d820984e76e907822a6f67ae2235f52d7a871e29d08e016b33", "hashmap": [{"hash": "f73537294a413783ee6a88308a25e8c1", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "b4d3fb3bf91408daca0ee87023f21135", "key": "description"}, {"hash": "1d731490b777bc15c5d9375993128995", "key": "modified"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "0416e7762cb900088c87342ca21f0680", "key": "published"}, {"hash": "c61ef83b4939578e95c273912ebf5e5b", "key": "cvss"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2017-12-19T15:09:49", "modified": "2016-10-26T00:00:00", "objectVersion": "1.3", "published": "2016-10-18T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888\nMultiple vulnerabilities in Oracle VM VirtualBox\t\t\t ", "type": "kaspersky", "viewCount": 3}, "differentElements": ["cvss", "description"], "edition": 4, "lastseen": "2017-12-19T15:09:49"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 15, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "7872e3f6f2d9161896f749e16566f3aeaa79226008096150d7f21524e2d92849", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "f88d50f5167050f5b3367c6d99617b00", "key": "modified"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-09-26T09:49:01", "modified": "2018-09-12T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 15}, "differentElements": ["modified"], "edition": 15, "lastseen": "2018-09-26T09:49:01"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n6.5\n\n### *Detect date*:\n10/18/2016\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox-2/>)\n\n### *CVE-IDS*:\n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 1, "enchantments": {}, "hash": "ffa298c5075294479e7327f330cea951c4593b70b2314e2bf313c7261654f954", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "b4d3fb3bf91408daca0ee87023f21135", "key": "description"}, {"hash": "1d731490b777bc15c5d9375993128995", "key": "modified"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "0416e7762cb900088c87342ca21f0680", "key": "published"}, {"hash": "6e795eb1423802a45adc4878866deaa0", "key": "title"}, {"hash": "c61ef83b4939578e95c273912ebf5e5b", "key": "cvss"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2017-05-01T09:33:16", "modified": "2016-10-26T00:00:00", "objectVersion": "1.2", "published": "2016-10-18T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888\nMultiple vulnerabilities in Oracle VM VirtualBox\t\t\t ", "type": "kaspersky", "viewCount": 2}, "differentElements": ["title"], "edition": 1, "lastseen": "2017-05-01T09:33:16"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/18/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox-2/>)\n\n### *CVE-IDS*:\n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 5, "enchantments": {"score": {"modified": "2017-12-26T14:36:44", "value": 6.5}}, "hash": "9406c08d0c5db647ed680fb1000bdddae82afab7361ed127f250afda046dece7", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "f73537294a413783ee6a88308a25e8c1", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "1d731490b777bc15c5d9375993128995", "key": "modified"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "0416e7762cb900088c87342ca21f0680", "key": "published"}, {"hash": "144800bd639d217c03ac382921d31538", "key": "description"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2017-12-26T14:36:44", "modified": "2016-10-26T00:00:00", "objectVersion": "1.3", "published": "2016-10-18T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888\nMultiple vulnerabilities in Oracle VM VirtualBox\t\t\t ", "type": "kaspersky", "viewCount": 3}, "differentElements": ["description", "published"], "edition": 5, "lastseen": "2017-12-26T14:36:44"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 18, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "6b1ef2fa538b536176d58d45fbc5caf157cf351bba75784d5ef131ce2e318c90", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "99cf33fdc76c271eacfb873ef259f621", "key": "modified"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-10-18T16:04:10", "modified": "2018-10-16T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 19}, "differentElements": ["modified"], "edition": 18, "lastseen": "2018-10-18T16:04:10"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 22, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "6509e587bd001136315d6e51a08d0d2e1ad456a4b9912ba5dcc1c6236d6591e7", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "df9924d329e61639b23ceae50bf09fef", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "b1b97b93dd9db2b9d4b1c813cb8e2856", "key": "modified"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-11-13T22:17:53", "modified": "2018-11-06T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 20}, "differentElements": ["description"], "edition": 22, "lastseen": "2018-11-13T22:17:53"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 19, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "bd7e8f058ad0ba5b9bf53cca4c33f74e71684f9da468fb69cabe74bc55ae7894", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "8417130e0d445fc9335d4108d7416ee8", "key": "modified"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-10-31T00:07:22", "modified": "2018-10-18T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 20}, "differentElements": ["modified"], "edition": 19, "lastseen": "2018-10-31T00:07:22"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox-2/>)\n\n### *CVE-IDS*:\n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 7, "enchantments": {"score": {"modified": "2018-02-19T21:28:11", "value": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/"}}, "hash": "f1b13aab5083020405da2310a0ac0d005de128d6640dd4238c6f54f71f86eb2d", "hashmap": [{"hash": "df2e24c1f618fcff69ba2210c61e5e60", "key": "title"}, {"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "1d731490b777bc15c5d9375993128995", "key": "modified"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "8cbac3b9969bcf6c6747a5ab07d21d5a", "key": "description"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-02-19T21:28:11", "modified": "2016-10-26T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox\t\t\t ", "type": "kaspersky", "viewCount": 5}, "differentElements": ["description"], "edition": 7, "lastseen": "2018-02-19T21:28:11"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n6.5\n\n### *Detect date*:\n10/18/2016\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox-2/>)\n\n### *CVE-IDS*:\n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 2, "enchantments": {}, "hash": "bdbac08ebf317fd679205a2df817820664523b65cdb4ee465f93c6a572257e9d", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "8ebc64676c4898ca5e75dacd5156e183", "key": "title"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "b4d3fb3bf91408daca0ee87023f21135", "key": "description"}, {"hash": "1d731490b777bc15c5d9375993128995", "key": "modified"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "0416e7762cb900088c87342ca21f0680", "key": "published"}, {"hash": "c61ef83b4939578e95c273912ebf5e5b", "key": "cvss"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2017-10-17T15:13:49", "modified": "2016-10-26T00:00:00", "objectVersion": "1.3", "published": "2016-10-18T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888\n Multiple vulnerabilities in Oracle VM VirtualBox \n ", "type": "kaspersky", "viewCount": 2}, "differentElements": ["title"], "edition": 2, "lastseen": "2017-10-17T15:13:49"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 10, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "bd9ec020625ba8b76f2c355fc7a19884d36009e10e7cba168990992484f0c9c1", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "464857d7b87b7b905e79b99c78b7d97a", "key": "modified"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-08-27T12:38:48", "modified": "2018-08-17T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 14}, "differentElements": ["cvss"], "edition": 10, "lastseen": "2018-08-27T12:38:48"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 16, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "bcf46563e3ba5f3923c2f8f0d82a1da90180bf7f6e70821532ebd4e7dce90ce9", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "4f39b12f12b9cfc524b1a9ccce1883fb", "key": "modified"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-09-27T11:50:41", "modified": "2018-09-26T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 17}, "differentElements": ["modified"], "edition": 16, "lastseen": "2018-09-27T11:50:41"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 11, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "ac3a4b42341576813315365ba46af6eb74eb9ee11d4b68236ae8c3aefeebdca1", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "464857d7b87b7b905e79b99c78b7d97a", "key": "modified"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-08-30T20:38:16", "modified": "2018-08-17T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 14}, "differentElements": ["cvss"], "edition": 11, "lastseen": "2018-08-30T20:38:16"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "description": "### *CVSS*:\n7.8\n\n### *Detect date*:\n10/19/2016\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to cause denial of service, affect integrity or obtain sensitive information. These vulnerabilities can be executed remotely and related to Core, OpenSSL and VRDE.\n\n### *Affected products*:\nOracle VM VirtualBox versions earlier than 5.0.28 \nOracle VM VirtualBox 5.1 versions earlier than 5.1.8\n\n### *Solution*:\nUpdate to the latest version \n[Oracle VM VirtualBox download page](<https://www.virtualbox.org/wiki/Downloads>)\n\n### *Original advisories*:\n[Oracle bulletin](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixOVIR>) \n\n\n### *Impacts*:\nOSI \n\n### *Related products*:\n[Oracle VirtualBox](<https://threats.kaspersky.com/en/product/Oracle-VirtualBox/>)\n\n### *CVE-IDS*:\n[CVE-2016-5605](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5605>) \n[CVE-2016-5501](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5501>) \n[CVE-2016-5610](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5610>) \n[CVE-2016-5538](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5538>) \n[CVE-2016-5608](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5608>) \n[CVE-2016-5611](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5611>) \n[CVE-2016-5613](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5613>) \n[CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)", "edition": 21, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "2cf9aa9b273ceffcf1a783ce960e63085cf54475255227fba3e6cd7f5a9f9613", "hashmap": [{"hash": "ed3111898fb94205e2b64cefef5a2081", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "04e046712c1b52712f7a7ed82498f22c", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "c66430bd0c8689a06d21da9689458836", "key": "description"}, {"hash": "1c5f25be316d43f9aaa0e7a4f1809d08", "key": "href"}, {"hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1", "key": "type"}, {"hash": "b1b97b93dd9db2b9d4b1c813cb8e2856", "key": "modified"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "published"}, {"hash": "be9ec55550d2e9f1827933b580aea00d", "key": "title"}, {"hash": "c7d33ff7b19a6a933a6f8c682a1e11aa", "key": "reporter"}], "history": [], "href": "https://threats.kaspersky.com/en/vulnerability/KLA10888", "id": "KLA10888", "lastseen": "2018-11-08T14:12:37", "modified": "2018-11-06T00:00:00", "objectVersion": "1.3", "published": "2016-10-19T00:00:00", "references": [], "reporter": "Kaspersky Lab", "title": "\r KLA10888Multiple vulnerabilities in Oracle VM VirtualBox ", "type": "kaspersky", "viewCount": 20}, "differentElements": ["description"], "edition": 21, "lastseen": "2018-11-08T14:12:37"}], "edition": 24, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "04e046712c1b52712f7a7ed82498f22c"}, {"key": "cvss", "hash": "ed3111898fb94205e2b64cefef5a2081"}, {"key": "description", "hash": "c66430bd0c8689a06d21da9689458836"}, {"key": "href", "hash": "1c5f25be316d43f9aaa0e7a4f1809d08"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "published", "hash": "1473cc95d97afe32f88497f5af8e9307"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "c7d33ff7b19a6a933a6f8c682a1e11aa"}, {"key": "title", "hash": "be9ec55550d2e9f1827933b580aea00d"}, {"key": "type", "hash": "d85eb9a86b89fb1c1dcf7dbb6a9f02d1"}], "hash": "f7a165d8621033b3d3385add4bc3fb90d0a4e3d8ebdc97dbda11fc9f3bbc89e4", "viewCount": 21, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.3"}

{"nessus": [{"lastseen": "2018-11-09T00:49:04", "references": ["http://www.nessus.org/u?bac902d5", "https://www.virtualbox.org/wiki/Changelog"], "pluginID": "94168", "description": "The version of the Oracle VM VirtualBox application installed on the remote host is 5.0.x prior to 5.0.28 or 5.1.x prior to 5.1.8. It is, therefore, affected by multiple vulnerabilities :\n\n - Multiple unspecified flaws exist in the Core subcomponent that allow a local attacker to gain elevated privileges. (CVE-2016-5501, CVE-2016-5538)\n\n - An unspecified flaw exists in the VirtualBox Remote Desktop Extension (VRDE) subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5605)\n\n - Multiple unspecified flaws exist in the Core subcomponent that allow a local attacker to cause a denial of service condition. (CVE-2016-5608, CVE-2016-5613)\n\n - An unspecified flaw exists in the Core subcomponent that allows a local attacker to impact on integrity and availability. (CVE-2016-5610)\n\n - An unspecified flaw exists in the Core subcomponent that allows a local attacker to disclose sensitive information. (CVE-2016-5611)\n\n - A flaw exists in the OpenSSL subcomponent, specifically within the ssl_parse_clienthello_tlsext() function in t1_lib.c due, to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition.\n (CVE-2016-6304)", "edition": 12, "reporter": "Tenable", "published": "2016-10-20T00:00:00", "title": "Oracle VM VirtualBox 5.0.x < 5.0.28 / 5.1.x < 5.1.8 Multiple Vulnerabilities (October 2016 CPU)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "modified": "2018-11-08T00:00:00", "cpe": ["cpe:/a:oracle:vm_virtualbox"], "id": "VIRTUALBOX_5_1_8.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94168", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94168);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/08 11:55:29\");\n\n script_cve_id(\n \"CVE-2016-5501\",\n \"CVE-2016-5538\",\n \"CVE-2016-5605\",\n \"CVE-2016-5608\",\n \"CVE-2016-5610\",\n \"CVE-2016-5611\",\n \"CVE-2016-5613\",\n \"CVE-2016-6304\"\n );\n script_bugtraq_id(\n 93150,\n 93685,\n 93687,\n 93697,\n 93711,\n 93718,\n 93728,\n 93744\n );\n\n script_name(english:\"Oracle VM VirtualBox 5.0.x < 5.0.28 / 5.1.x < 5.1.8 Multiple Vulnerabilities (October 2016 CPU)\");\n script_summary(english:\"Performs a version check on VirtualBox.exe.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote host is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the Oracle VM VirtualBox application installed on the\nremote host is 5.0.x prior to 5.0.28 or 5.1.x prior to 5.1.8. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - Multiple unspecified flaws exist in the Core\n subcomponent that allow a local attacker to gain\n elevated privileges. (CVE-2016-5501, CVE-2016-5538)\n\n - An unspecified flaw exists in the VirtualBox Remote\n Desktop Extension (VRDE) subcomponent that allows an\n unauthenticated, remote attacker to impact\n confidentiality and integrity. (CVE-2016-5605)\n\n - Multiple unspecified flaws exist in the Core\n subcomponent that allow a local attacker to cause a\n denial of service condition. (CVE-2016-5608,\n CVE-2016-5613)\n\n - An unspecified flaw exists in the Core subcomponent that\n allows a local attacker to impact on integrity and\n availability. (CVE-2016-5610)\n\n - An unspecified flaw exists in the Core subcomponent that\n allows a local attacker to disclose sensitive\n information. (CVE-2016-5611)\n\n - A flaw exists in the OpenSSL subcomponent, specifically\n within the ssl_parse_clienthello_tlsext() function in\n t1_lib.c due, to improper handling of overly large OCSP\n Status Request extensions from clients. An\n unauthenticated, remote attacker can exploit this, via\n large OCSP Status Request extensions, to exhaust memory\n resources, resulting in a denial of service condition.\n (CVE-2016-6304)\");\n # http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\n script_set_attribute(attribute:\"see_also\",value:\"http://www.nessus.org/u?bac902d5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.virtualbox.org/wiki/Changelog\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Oracle VM VirtualBox version 5.0.28 / 5.1.8 or later as\nreferenced in the October 2016 Oracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-6304\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:vm_virtualbox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"virtualbox_installed.nasl\", \"macosx_virtualbox_installed.nbin\");\n script_require_ports(\"installed_sw/Oracle VM VirtualBox\", \"installed_sw/VirtualBox\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = NULL;\napps = make_list('Oracle VM VirtualBox', 'VirtualBox');\n\nforeach app (apps)\n{\n if (get_install_count(app_name:app)) break;\n else app = NULL;\n}\n\nif (isnull(app)) audit(AUDIT_NOT_INST, 'Oracle VM VirtualBox');\n\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\nver = install['version'];\npath = install['path'];\n\n# Affected :\n# 5.0.x < 5.0.28 / 5.1.x < 5.1.8\nif (ver =~ '^5\\\\.0' && ver_compare(ver:ver, fix:'5.0.26', strict:FALSE) < 0) fix = '5.0.26';\nelse if (ver =~ '^5\\\\.1' && ver_compare(ver:ver, fix:'5.1.8', strict:FALSE) < 0) fix = '5.1.8';\nelse audit(AUDIT_INST_PATH_NOT_VULN, app, ver, path);\n\nport = 0;\nif (app == 'Oracle VM VirtualBox')\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n}\n\nreport =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix +\n '\\n';\nsecurity_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\nexit(0);\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:53:33", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1005621", "https://bugzilla.opensuse.org/show_bug.cgi?id=983629"], "pluginID": "94302", "description": "This update for virtualbox fixes the following issues :\n\n - Address CVE-2016-5501, CVE-2016-5538, CVE-2016-5605, CVE-2016-5608, CVE-2016-5610, CVE-2016-5611, CVE-2016-5613 (boo#1005621).\n\n - Reduce memory needs during build.\n\n - Version bump to 5.0.28 (released 2016-10-18 by Oracle) This is a maintenance release. The following items were fixed and/or added: NAT: Don't exceed the maximum number of 'search' suffixes. Patch from bug #15948. NAT: fixed parsing of port-forwarding rules with a name which contains a slash (bug #16002) NAT Network: when the host has only loopback nameserver that cannot be mapped to the guests (e.g. dnsmasq running on 127.0.1.1), make DHCP supply NAT Network DNS proxy as nameserver. Bridged Network: prevent flooding syslog with packet allocation error messages (bug #15569) USB: fixed a possible crash when detaching a USB device Audio: fixes for recording (Mac OS X hosts only) Audio: now using Audio Queues on Mac OS X hosts OVF: improve importing of VMs created by VirtualBox 5.1 VHDX: fixed cloning images with VBoxManage cloned (bug #14288) Storage: Fixed broken bandwidth limitation when the limit is very low (bug #14982) Serial: Fixed high CPU usage with certain USB to serial converters on Linux hosts (bug #7796) BIOS: fixed 4bpp scanline calculation (bug #15787) VBoxManage: Don't try to set the medium type if there is no change (bug #13850) API: fixed initialization of SAS controllers (bug #15972) Linux hosts: don't use 32-bit legacy capabilities Linux hosts / guests: fix for kernels with CONFIG_CPUMASK_OFFSTACK set (bug #16020) Linux Additions: several fixes for X11 guests running non-root X servers Linux Additions: fix for Linux 4.7 (bug #15769) Linux Additions: fix for the display kmod driver with Linux 4.8 (bugs #15890 and #15896) Windows Additions: auto-resizing fixes for Windows 10 guests (bug #15257) Windows Additions: fixes for arranging the guest screens in multi-screen scenarios Windows Additions / VGA: if the guest's power management turns a virtual screen off, blank the corresponding VM window rather than hide the VM window Windows Additions: fixed a generic bug which could lead to freezing shared folders (bug #15662) \n\n - Modify virtualbox-guest-preamble and virtualbox-host-preamble to obsolete old versions of the kernel modules. This change should fix the problem in (boo#983629).", "edition": 5, "reporter": "Tenable", "published": "2016-10-27T00:00:00", "title": "openSUSE Security Update : virtualbox (openSUSE-2016-1226)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "modified": "2016-10-31T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-desktop-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-desktop", "p-cpe:/a:novell:opensuse:virtualbox-qt", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-debugsource", "p-cpe:/a:novell:opensuse:python-virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-pae", "p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-pae-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-desktop-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default", "p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-pae-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-websrv", "cpe:/o:novell:opensuse:13.2", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-desktop", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-pae", "p-cpe:/a:novell:opensuse:virtualbox-host-source", "p-cpe:/a:novell:opensuse:virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-devel", "p-cpe:/a:novell:opensuse:virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons"], "id": "OPENSUSE-2016-1226.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94302", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1226.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94302);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/31 13:56:11 $\");\n\n script_cve_id(\"CVE-2016-5501\", \"CVE-2016-5538\", \"CVE-2016-5605\", \"CVE-2016-5608\", \"CVE-2016-5610\", \"CVE-2016-5611\", \"CVE-2016-5613\");\n\n script_name(english:\"openSUSE Security Update : virtualbox (openSUSE-2016-1226)\");\n script_summary(english:\"Check for the openSUSE-2016-1226 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for virtualbox fixes the following issues :\n\n - Address CVE-2016-5501, CVE-2016-5538, CVE-2016-5605,\n CVE-2016-5608, CVE-2016-5610, CVE-2016-5611,\n CVE-2016-5613 (boo#1005621).\n\n - Reduce memory needs during build.\n\n - Version bump to 5.0.28 (released 2016-10-18 by Oracle)\n This is a maintenance release. The following items were\n fixed and/or added: NAT: Don't exceed the maximum number\n of 'search' suffixes. Patch from bug #15948. NAT: fixed\n parsing of port-forwarding rules with a name which\n contains a slash (bug #16002) NAT Network: when the host\n has only loopback nameserver that cannot be mapped to\n the guests (e.g. dnsmasq running on 127.0.1.1), make\n DHCP supply NAT Network DNS proxy as nameserver. Bridged\n Network: prevent flooding syslog with packet allocation\n error messages (bug #15569) USB: fixed a possible crash\n when detaching a USB device Audio: fixes for recording\n (Mac OS X hosts only) Audio: now using Audio Queues on\n Mac OS X hosts OVF: improve importing of VMs created by\n VirtualBox 5.1 VHDX: fixed cloning images with\n VBoxManage cloned (bug #14288) Storage: Fixed broken\n bandwidth limitation when the limit is very low (bug\n #14982) Serial: Fixed high CPU usage with certain USB to\n serial converters on Linux hosts (bug #7796) BIOS: fixed\n 4bpp scanline calculation (bug #15787) VBoxManage: Don't\n try to set the medium type if there is no change (bug\n #13850) API: fixed initialization of SAS controllers\n (bug #15972) Linux hosts: don't use 32-bit legacy\n capabilities Linux hosts / guests: fix for kernels with\n CONFIG_CPUMASK_OFFSTACK set (bug #16020) Linux\n Additions: several fixes for X11 guests running non-root\n X servers Linux Additions: fix for Linux 4.7 (bug\n #15769) Linux Additions: fix for the display kmod driver\n with Linux 4.8 (bugs #15890 and #15896) Windows\n Additions: auto-resizing fixes for Windows 10 guests\n (bug #15257) Windows Additions: fixes for arranging the\n guest screens in multi-screen scenarios Windows\n Additions / VGA: if the guest's power management turns a\n virtual screen off, blank the corresponding VM window\n rather than hide the VM window Windows Additions: fixed\n a generic bug which could lead to freezing shared\n folders (bug #15662) \n\n - Modify virtualbox-guest-preamble and\n virtualbox-host-preamble to obsolete old versions of the\n kernel modules. This change should fix the problem in\n (boo#983629).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1005621\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=983629\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected virtualbox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-desktop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-desktop-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-pae-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-desktop\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-desktop-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-pae\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-pae-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/10/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"python-virtualbox-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"python-virtualbox-debuginfo-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-debuginfo-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-debugsource-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-devel-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-desktop-icons-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-kmp-default-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-kmp-default-debuginfo-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-kmp-desktop-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-kmp-desktop-debuginfo-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-kmp-pae-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-kmp-pae-debuginfo-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-tools-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-tools-debuginfo-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-x11-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-guest-x11-debuginfo-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-host-kmp-default-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-host-kmp-default-debuginfo-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-host-kmp-desktop-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-host-kmp-desktop-debuginfo-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-host-kmp-pae-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-host-kmp-pae-debuginfo-5.0.28_k3.16.7_42-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-host-source-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-qt-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-qt-debuginfo-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-websrv-5.0.28-54.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"virtualbox-websrv-debuginfo-5.0.28-54.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:34:30", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1005621"], "pluginID": "95378", "description": "This update for virtualbox fixes the following issues :\n\n - Fixes CVE-2016-5501,CVE-2016-5538,CVE-2016-5605,CVE-2016-5608, CVE-2016-5610,CVE-2016-5611,CVE-2016-5613 (bsc#1005621)\n\n - Add patch to limit number of simultaneous make jobs.\n\n - Version bump to 5.1.8 (released 2016-10-18 by Oracle) This is a maintenance release. The following items were fixed and/or added: GUI: fixed keyboard shortcut handling regressions (Mac OS X hosts only; bugs #15937 and #15938) GUI: fixed keyboard handling regression for separate UI (Windows hosts only; bugs #15928) NAT: don't exceed the maximum number of 'search' suffixes. Patch from bug #15948. NAT: fixed parsing of port-forwarding rules with a name which contains a slash (bug #16002) NAT Network: when the host has only loopback nameserver that cannot be mapped to the guests (e.g. dnsmasq running on 127.0.1.1), make DHCP supply NAT Network DNS proxy as nameserver. Bridged Network: prevent flooding syslog with packet allocation error messages (bug #15569) Audio: now using Audio Queues on Mac OS X hosts Audio: fixed recording with the PulseAudio backend (5.1 regression) Audio: various bugfixes Snapshots: fixed regression in 5.1.4 for deleting snapshots with several disks (bug #15831) Snapshots: crash fix and better error reporting when snapshot deletion failed Storage: some fixes for the NVMe emulation with Windows guests API:\n fixed initialization of SAS controllers (bug #15972) Build system: make it possible to build VBox on systems which default to Python 3 Windows Additions / VGA: if the guest's power management turns a virtual screen off, blank the corresponding VM window rather than hide the window Windows Additions: fixed a generic bug which could lead to freezing shared folders (bug #15662) Linux hosts / guests: fix for kernels with CONFIG_CPUMASK_OFFSTACK set (bug #16020) Linux Additions: don't require all virtual consoles be in text mode. This should fix cases when the guest is booted with a graphical boot screen (bug #15683) Linux Additions: added depmod overrides for the vboxguest and vboxsf kernel modules to fix conflicts with modules shipped by certain Linux distributions X11 Additions:\n disable 3D on the guest if the host does not provide enough capabilities (bug #15860) \n\n - Builds keep running out of memory when building the web server part of the package. To help the memory pressure, I have forced make to run with '-j2', rather than use the number of processors. Such a change will slow the build, but will result in a higher rate of success.\n\n - Increase memory allowed in build to 10000 MB.\n\n - Remove file 'fix_removal_of_DEFINE_PCI_DEVICE_TABLE' - fixed upstream.\n\n - Version bump to 5.1.6 (released 2016-09-12 by Oracle) This is a maintenance release. The following items were fixed and/or added: GUI: fixed issue with opening '.vbox' files and it's aliases GUI: keyboard grabbing fixes (bugs #15771 and #15745) GUI: fix for passing through Ctrl + mouse-click (Mac OS X hosts only; bug #15714) GUI: fixed automatic deletion of extension pack files (bugs #11352 and #14742) USB: fixed showing unknown device instead of the manufacturer or product description under certain circumstances (5.1.0 regression; bug #15764) XHCI: another fix for a hanging guest under certain conditions as result of the fix for bug #15747, this time for Windows 7 guests Serial: fixed high CPU usage with certain USB to serial converters on Linux hosts (bug #7796) Storage: fixed attaching stream optimized VMDK images (bug #14764) Storage: reject image variants which are unsupported by the backend (bug #7227) Storage: fixed loading saved states created with VirtualBox 5.0.10 and older when using a SCSI controller (bug #15865) Storage: fixed broken NVMe emulation if the host I/O cache setting is enabled Storage: fixed using multiple NVMe controllers if ICH9 is used NVMe: fixed a crash during reset which could happen under certain circumstances Audio: fixed microphone input (5.1.2 regression; bugs #14386 and #15802) Audio: fixed crashes under certain conditions (5.1.0 regression; bug #15887 and others) Audio: fixed recording with the ALSA backend (5.1 regression) Audio: fixed stream access mode with OSS backend (5.1 regression, thanks to Jung-uk Kim) E1000: do also return masked bits when reading the ICR register, this fixes booting from iPXE (5.1.2 regression; bug #15846) BIOS: fixed 4bpp scanline calculation (bug #15787) API: relax the check for the version attribute in OVF/OVA appliances (bug #15856) Windows hosts: fixed crashes when terminating the VM selector or other VBox COM clients (bug #15726 and others) Linux Installer: fixed path to the documentation in .rpm packages (5.1.0 regression) Linux Installer:\n fixed the vboxdrv.sh script to prevent an SELinux complaint (bug #15816) Linux hosts: don't use 32-bit legacy capabilities Linux Additions: Linux 4.8 fix for the kernel display driver (bugs #15890 and #15896) Linux Additions: don't load the kernel modules provided by the Linux distribution but load the kernel modules from the official Guest Additions package instead (bug #15324) Linux Additions: fix dynamic resizing problems in recent Linux guests (bug #15875) User Manual: fixed error in the VBoxManage chapter for the getextradata enumerate example (bug #15862) \n\n - Add file 'fix_removal_of_DEFINE_PCI_DEVICE_TABLE' to compile on kernel 4.8.", "edition": 4, "reporter": "Tenable", "published": "2016-11-29T00:00:00", "title": "openSUSE Security Update : virtualbox (openSUSE-2016-1366)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "modified": "2016-11-29T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools", "p-cpe:/a:novell:opensuse:virtualbox-qt", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-debugsource", "p-cpe:/a:novell:opensuse:python-virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default", "p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-websrv", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11", "p-cpe:/a:novell:opensuse:virtualbox-host-source", "p-cpe:/a:novell:opensuse:virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-devel", "p-cpe:/a:novell:opensuse:virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons"], "id": "OPENSUSE-2016-1366.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=95378", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1366.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95378);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2016/11/29 14:25:51 $\");\n\n script_cve_id(\"CVE-2016-5501\", \"CVE-2016-5538\", \"CVE-2016-5605\", \"CVE-2016-5608\", \"CVE-2016-5610\", \"CVE-2016-5611\", \"CVE-2016-5613\");\n\n script_name(english:\"openSUSE Security Update : virtualbox (openSUSE-2016-1366)\");\n script_summary(english:\"Check for the openSUSE-2016-1366 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for virtualbox fixes the following issues :\n\n - Fixes\n CVE-2016-5501,CVE-2016-5538,CVE-2016-5605,CVE-2016-5608,\n CVE-2016-5610,CVE-2016-5611,CVE-2016-5613 (bsc#1005621)\n\n - Add patch to limit number of simultaneous make jobs.\n\n - Version bump to 5.1.8 (released 2016-10-18 by Oracle)\n This is a maintenance release. The following items were\n fixed and/or added: GUI: fixed keyboard shortcut\n handling regressions (Mac OS X hosts only; bugs #15937\n and #15938) GUI: fixed keyboard handling regression for\n separate UI (Windows hosts only; bugs #15928) NAT: don't\n exceed the maximum number of 'search' suffixes. Patch\n from bug #15948. NAT: fixed parsing of port-forwarding\n rules with a name which contains a slash (bug #16002)\n NAT Network: when the host has only loopback nameserver\n that cannot be mapped to the guests (e.g. dnsmasq\n running on 127.0.1.1), make DHCP supply NAT Network DNS\n proxy as nameserver. Bridged Network: prevent flooding\n syslog with packet allocation error messages (bug\n #15569) Audio: now using Audio Queues on Mac OS X hosts\n Audio: fixed recording with the PulseAudio backend (5.1\n regression) Audio: various bugfixes Snapshots: fixed\n regression in 5.1.4 for deleting snapshots with several\n disks (bug #15831) Snapshots: crash fix and better error\n reporting when snapshot deletion failed Storage: some\n fixes for the NVMe emulation with Windows guests API:\n fixed initialization of SAS controllers (bug #15972)\n Build system: make it possible to build VBox on systems\n which default to Python 3 Windows Additions / VGA: if\n the guest's power management turns a virtual screen off,\n blank the corresponding VM window rather than hide the\n window Windows Additions: fixed a generic bug which\n could lead to freezing shared folders (bug #15662) Linux\n hosts / guests: fix for kernels with\n CONFIG_CPUMASK_OFFSTACK set (bug #16020) Linux\n Additions: don't require all virtual consoles be in text\n mode. This should fix cases when the guest is booted\n with a graphical boot screen (bug #15683) Linux\n Additions: added depmod overrides for the vboxguest and\n vboxsf kernel modules to fix conflicts with modules\n shipped by certain Linux distributions X11 Additions:\n disable 3D on the guest if the host does not provide\n enough capabilities (bug #15860) \n\n - Builds keep running out of memory when building the web\n server part of the package. To help the memory pressure,\n I have forced make to run with '-j2', rather than use\n the number of processors. Such a change will slow the\n build, but will result in a higher rate of success.\n\n - Increase memory allowed in build to 10000 MB.\n\n - Remove file 'fix_removal_of_DEFINE_PCI_DEVICE_TABLE' -\n fixed upstream.\n\n - Version bump to 5.1.6 (released 2016-09-12 by Oracle)\n This is a maintenance release. The following items were\n fixed and/or added: GUI: fixed issue with opening\n '.vbox' files and it's aliases GUI: keyboard grabbing\n fixes (bugs #15771 and #15745) GUI: fix for passing\n through Ctrl + mouse-click (Mac OS X hosts only; bug\n #15714) GUI: fixed automatic deletion of extension pack\n files (bugs #11352 and #14742) USB: fixed showing\n unknown device instead of the manufacturer or product\n description under certain circumstances (5.1.0\n regression; bug #15764) XHCI: another fix for a hanging\n guest under certain conditions as result of the fix for\n bug #15747, this time for Windows 7 guests Serial: fixed\n high CPU usage with certain USB to serial converters on\n Linux hosts (bug #7796) Storage: fixed attaching stream\n optimized VMDK images (bug #14764) Storage: reject image\n variants which are unsupported by the backend (bug\n #7227) Storage: fixed loading saved states created with\n VirtualBox 5.0.10 and older when using a SCSI controller\n (bug #15865) Storage: fixed broken NVMe emulation if the\n host I/O cache setting is enabled Storage: fixed using\n multiple NVMe controllers if ICH9 is used NVMe: fixed a\n crash during reset which could happen under certain\n circumstances Audio: fixed microphone input (5.1.2\n regression; bugs #14386 and #15802) Audio: fixed crashes\n under certain conditions (5.1.0 regression; bug #15887\n and others) Audio: fixed recording with the ALSA backend\n (5.1 regression) Audio: fixed stream access mode with\n OSS backend (5.1 regression, thanks to Jung-uk Kim)\n E1000: do also return masked bits when reading the ICR\n register, this fixes booting from iPXE (5.1.2\n regression; bug #15846) BIOS: fixed 4bpp scanline\n calculation (bug #15787) API: relax the check for the\n version attribute in OVF/OVA appliances (bug #15856)\n Windows hosts: fixed crashes when terminating the VM\n selector or other VBox COM clients (bug #15726 and\n others) Linux Installer: fixed path to the documentation\n in .rpm packages (5.1.0 regression) Linux Installer:\n fixed the vboxdrv.sh script to prevent an SELinux\n complaint (bug #15816) Linux hosts: don't use 32-bit\n legacy capabilities Linux Additions: Linux 4.8 fix for\n the kernel display driver (bugs #15890 and #15896) Linux\n Additions: don't load the kernel modules provided by the\n Linux distribution but load the kernel modules from the\n official Guest Additions package instead (bug #15324)\n Linux Additions: fix dynamic resizing problems in recent\n Linux guests (bug #15875) User Manual: fixed error in\n the VBoxManage chapter for the getextradata enumerate\n example (bug #15862) \n\n - Add file 'fix_removal_of_DEFINE_PCI_DEVICE_TABLE' to\n compile on kernel 4.8.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1005621\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected virtualbox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-virtualbox-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-virtualbox-debuginfo-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-debuginfo-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-debugsource-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-devel-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-desktop-icons-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-kmp-default-5.1.8_k4.4.27_2-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-kmp-default-debuginfo-5.1.8_k4.4.27_2-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-tools-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-tools-debuginfo-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-x11-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-x11-debuginfo-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-kmp-default-5.1.8_k4.4.27_2-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-kmp-default-debuginfo-5.1.8_k4.4.27_2-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-source-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-qt-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-qt-debuginfo-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-websrv-5.1.8-3.3\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-websrv-debuginfo-5.1.8-3.3\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:56:25", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=1014694", "http://www.nessus.org/u?6c5e689a", "https://bugzilla.opensuse.org/show_bug.cgi?id=1018340", "https://bugzilla.opensuse.org/show_bug.cgi?id=1005621"], "pluginID": "96750", "description": "This update for virtualbox fixes the following issues :\n\n - The version has been updated from 5.1.8 to 5.1.12.\n Upstream fixed various functional and security issues.\n\n - Multiple security issues have been fixed that could cause DoS and possibly privilege escalation (CVE-2016-5501,CVE-2016-5538,CVE-2016-5605,CVE-2016-5608 ,CVE-2016-5610, CVE-2016-5611,CVE-2016-561313, boo#1005621)\n\n - A security warning regarding USB passthru has been added. It will be shown only the first time virtualbox is started. (bnc#1018340)\n\n - Reverted a previously introduced user interface scaling change, because it caused problems (https://forums.opensuse.org/showthread.php/521520-Virtu alBox-interface-scaling, bsc#1014694)", "edition": 4, "reporter": "Tenable", "published": "2017-01-25T00:00:00", "title": "openSUSE Security Update : virtualbox (openSUSE-2017-141)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-5605", "CVE-2016-5538", "CVE-2016-5501", "CVE-2016-561313"], "modified": "2017-01-25T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools", "p-cpe:/a:novell:opensuse:virtualbox-qt", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-debugsource", "p-cpe:/a:novell:opensuse:python-virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default", "p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default", "p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-websrv", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:virtualbox-guest-x11", "p-cpe:/a:novell:opensuse:virtualbox-host-source", "p-cpe:/a:novell:opensuse:virtualbox-debuginfo", "p-cpe:/a:novell:opensuse:virtualbox-devel", "p-cpe:/a:novell:opensuse:virtualbox", "p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons"], "id": "OPENSUSE-2017-141.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=96750", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2017-141.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96750);\n script_version(\"$Revision: 3.1 $\");\n script_cvs_date(\"$Date: 2017/01/25 14:53:04 $\");\n\n script_cve_id(\"CVE-2016-5501\", \"CVE-2016-5538\", \"CVE-2016-5605\", \"CVE-2016-5608\", \"CVE-2016-5610\", \"CVE-2016-5611\", \"CVE-2016-561313\");\n\n script_name(english:\"openSUSE Security Update : virtualbox (openSUSE-2017-141)\");\n script_summary(english:\"Check for the openSUSE-2017-141 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for virtualbox fixes the following issues :\n\n - The version has been updated from 5.1.8 to 5.1.12.\n Upstream fixed various functional and security issues.\n\n - Multiple security issues have been fixed that could\n cause DoS and possibly privilege escalation\n (CVE-2016-5501,CVE-2016-5538,CVE-2016-5605,CVE-2016-5608\n ,CVE-2016-5610, CVE-2016-5611,CVE-2016-561313,\n boo#1005621)\n\n - A security warning regarding USB passthru has been\n added. It will be shown only the first time virtualbox\n is started. (bnc#1018340)\n\n - Reverted a previously introduced user interface scaling\n change, because it caused problems\n (https://forums.opensuse.org/showthread.php/521520-Virtu\n alBox-interface-scaling, bsc#1014694)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1005621\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1014694\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1018340\"\n );\n # https://forums.opensuse.org/showthread.php/521520-VirtualBox-interface-scaling,\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6c5e689a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected virtualbox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:python-virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-desktop-icons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-guest-x11-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-kmp-default-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-host-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-qt-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:virtualbox-websrv-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/01/25\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-virtualbox-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"python-virtualbox-debuginfo-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-debuginfo-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-debugsource-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-devel-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-desktop-icons-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-kmp-default-5.1.12_k4.4.36_8-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-kmp-default-debuginfo-5.1.12_k4.4.36_8-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-tools-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-tools-debuginfo-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-x11-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-guest-x11-debuginfo-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-kmp-default-5.1.12_k4.4.36_8-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-kmp-default-debuginfo-5.1.12_k4.4.36_8-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-host-source-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-qt-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-qt-debuginfo-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-websrv-5.1.12-6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"virtualbox-websrv-debuginfo-5.1.12-6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python-virtualbox / python-virtualbox-debuginfo / virtualbox / etc\");\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:33:06", "references": ["https://www.openssl.org/news/secadv/20160926.txt", "https://alas.aws.amazon.com/ALAS-2016-749.html", "https://www.openssl.org/news/secadv/20160922.txt"], "pluginID": "93665", "description": "A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support.\n\nThe OpenSSL Security Advisory [22 Sep 2016] refers to additional CVEs.\nCVE-2016-6305 does not affect OpenSSL 1.0.1. The remaining CVEs listed will be fixed in a later update.\n\nThe OpenSSL Security Advisory [26 Sep 2016] refers to two additional CVEs which do not affect OpenSSL 1.0.1.\n\n(Updated 2016-09-26: Included a reference to the 26 Sep 2016 upstream advisory.)", "edition": 9, "reporter": "Tenable", "published": "2016-09-23T00:00:00", "title": "Amazon Linux AMI : openssl (ALAS-2016-749)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6304"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:openssl-devel", "p-cpe:/a:amazon:linux:openssl", "p-cpe:/a:amazon:linux:openssl-debuginfo", "p-cpe:/a:amazon:linux:openssl-perl", "p-cpe:/a:amazon:linux:openssl-static", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-749.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=93665", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-749.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(93665);\n script_version(\"2.6\");\n script_cvs_date(\"Date: 2018/04/18 15:09:36\");\n\n script_cve_id(\"CVE-2016-6304\");\n script_xref(name:\"ALAS\", value:\"2016-749\");\n\n script_name(english:\"Amazon Linux AMI : openssl (ALAS-2016-749)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A memory leak flaw was found in the way OpenSSL handled TLS status\nrequest extension data during session renegotiation. A remote attacker\ncould cause a TLS server using OpenSSL to consume an excessive amount\nof memory and, possibly, exit unexpectedly after exhausting all\navailable memory, if it enabled OCSP stapling support.\n\nThe OpenSSL Security Advisory [22 Sep 2016] refers to additional CVEs.\nCVE-2016-6305 does not affect OpenSSL 1.0.1. The remaining CVEs listed\nwill be fixed in a later update.\n\nThe OpenSSL Security Advisory [26 Sep 2016] refers to two additional\nCVEs which do not affect OpenSSL 1.0.1.\n\n(Updated 2016-09-26: Included a reference to the 26 Sep 2016 upstream\nadvisory.)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openssl.org/news/secadv/20160922.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openssl.org/news/secadv/20160926.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-749.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update openssl' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:openssl-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/09/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/09/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"openssl-1.0.1k-15.95.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssl-debuginfo-1.0.1k-15.95.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssl-devel-1.0.1k-15.95.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssl-perl-1.0.1k-15.95.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"openssl-static-1.0.1k-15.95.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-debuginfo / openssl-devel / openssl-perl / etc\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-11-13T17:06:47", "references": ["https://access.redhat.com/errata/RHSA-2016:2802", "https://www.openssl.org/news/secadv/20160922.txt", "https://access.redhat.com/security/cve/cve-2016-6304"], "pluginID": "94937", "description": "An update for openssl is now available for Red Hat Enterprise Linux 6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced Update Support, Red Hat Enterprise Linux 6.5 Advanced Update Support, Red Hat Enterprise Linux 6.5 Telco Extended Update Support, Red Hat Enterprise Linux 6.6 Advanced Update Support, Red Hat Enterprise Linux 6.6 Telco Extended Update Support, and Red Hat Enterprise Linux 6.7 Extended Update Support.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.\n\nSecurity Fix(es) :\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\nRed Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter.", "edition": 9, "reporter": "Tenable", "published": "2016-11-17T00:00:00", "title": "RHEL 6 : openssl (RHSA-2016:2802)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6304"], "modified": "2018-11-10T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:6.7", "p-cpe:/a:redhat:enterprise_linux:openssl-static", "cpe:/o:redhat:enterprise_linux:6.5", "p-cpe:/a:redhat:enterprise_linux:openssl-debuginfo", "cpe:/o:redhat:enterprise_linux:6.4", "cpe:/o:redhat:enterprise_linux:6.6", "p-cpe:/a:redhat:enterprise_linux:openssl-perl", "p-cpe:/a:redhat:enterprise_linux:openssl", "cpe:/o:redhat:enterprise_linux:6.2", "p-cpe:/a:redhat:enterprise_linux:openssl-devel"], "id": "REDHAT-RHSA-2016-2802.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94937", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:2802. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94937);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2018/11/10 11:49:55\");\n\n script_cve_id(\"CVE-2016-6304\");\n script_xref(name:\"RHSA\", value:\"2016:2802\");\n\n script_name(english:\"RHEL 6 : openssl (RHSA-2016:2802)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for openssl is now available for Red Hat Enterprise Linux\n6.2 Advanced Update Support, Red Hat Enterprise Linux 6.4 Advanced\nUpdate Support, Red Hat Enterprise Linux 6.5 Advanced Update Support,\nRed Hat Enterprise Linux 6.5 Telco Extended Update Support, Red Hat\nEnterprise Linux 6.6 Advanced Update Support, Red Hat Enterprise Linux\n6.6 Telco Extended Update Support, and Red Hat Enterprise Linux 6.7\nExtended Update Support.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL)\nand Transport Layer Security (TLS) protocols, as well as a\nfull-strength general-purpose cryptography library.\n\nSecurity Fix(es) :\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status\nrequest extension data during session renegotiation. A remote attacker\ncould cause a TLS server using OpenSSL to consume an excessive amount\nof memory and, possibly, exit unexpectedly after exhausting all\navailable memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\nRed Hat would like to thank the OpenSSL project for reporting this\nissue. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as\nthe original reporter.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openssl.org/news/secadv/20160922.txt\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:2802\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2016-6304\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openssl-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(6\\.2|6\\.4|6\\.5|6\\.6|6\\.7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.2 / 6.4 / 6.5 / 6.6 / 6.7\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:2802\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{ sp = get_kb_item(\"Host/RedHat/minor_release\");\n if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\n\n flag = 0;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"openssl-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"openssl-1.0.1e-30.el6_6.13\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"openssl-1.0.0-27.el6_4.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"openssl-1.0.0-20.el6_2.9\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"openssl-1.0.1e-16.el6_5.17\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"openssl-1.0.1e-30.el6_6.13\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"openssl-1.0.0-27.el6_4.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"openssl-1.0.0-20.el6_2.9\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"openssl-1.0.1e-16.el6_5.17\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"openssl-debuginfo-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"openssl-debuginfo-1.0.1e-30.el6_6.13\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"openssl-debuginfo-1.0.0-27.el6_4.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"openssl-debuginfo-1.0.0-20.el6_2.9\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"openssl-debuginfo-1.0.1e-16.el6_5.17\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"openssl-debuginfo-1.0.1e-30.el6_6.13\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"openssl-debuginfo-1.0.0-27.el6_4.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"openssl-debuginfo-1.0.0-20.el6_2.9\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"openssl-debuginfo-1.0.1e-16.el6_5.17\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", reference:\"openssl-devel-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"i686\", reference:\"openssl-devel-1.0.1e-30.el6_6.13\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"i686\", reference:\"openssl-devel-1.0.0-27.el6_4.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"i686\", reference:\"openssl-devel-1.0.0-20.el6_2.9\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"i686\", reference:\"openssl-devel-1.0.1e-16.el6_5.17\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"openssl-devel-1.0.1e-30.el6_6.13\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"openssl-devel-1.0.0-27.el6_4.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"openssl-devel-1.0.0-20.el6_2.9\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"openssl-devel-1.0.1e-16.el6_5.17\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"openssl-perl-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"openssl-perl-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"openssl-perl-1.0.1e-30.el6_6.13\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"openssl-perl-1.0.0-27.el6_4.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"openssl-perl-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"openssl-perl-1.0.0-20.el6_2.9\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"openssl-perl-1.0.1e-16.el6_5.17\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"i686\", reference:\"openssl-static-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"s390x\", reference:\"openssl-static-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"6\", cpu:\"x86_64\", reference:\"openssl-static-1.0.1e-30.el6_6.13\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"4\", cpu:\"x86_64\", reference:\"openssl-static-1.0.0-27.el6_4.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"7\", cpu:\"x86_64\", reference:\"openssl-static-1.0.1e-42.el6_7.6\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"2\", cpu:\"x86_64\", reference:\"openssl-static-1.0.0-20.el6_2.9\")) flag++;\n if (rpm_check(release:\"RHEL6\", sp:\"5\", cpu:\"x86_64\", reference:\"openssl-static-1.0.1e-16.el6_5.17\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"openssl / openssl-debuginfo / openssl-devel / openssl-perl / etc\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:53:26", "references": ["https://support.f5.com/csp/#/article/K54211024"], "pluginID": "94479", "description": "Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. (CVE-2016-6304)", "edition": 15, "reporter": "Tenable", "published": "2016-11-03T00:00:00", "title": "F5 Networks BIG-IP : OpenSSL vulnerability (K54211024)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "F5 Networks Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6304"], "modified": "2018-07-10T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL54211024.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=94479", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K54211024.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94479);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2018/07/10 14:27:33\");\n\n script_cve_id(\"CVE-2016-6304\");\n\n script_name(english:\"F5 Networks BIG-IP : OpenSSL vulnerability (K54211024)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2\nbefore 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause\na denial of service (memory consumption) via large OCSP Status Request\nextensions. (CVE-2016-6304)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/#/article/K54211024\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K54211024.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K54211024\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"111.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\",\"11.2.1\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\",\"11.2.1\",\"10.2.1-10.2.4\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.2\",\"11.5.2-11.5.5\",\"11.6.0-11.6.1\",\"11.5.1HF3-11.5.1HF11\",\"11.5.0HF4-11.5.0HF7\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2HF1\",\"11.6.2\",\"11.5.6\",\"11.5.1-11.5.1HF2\",\"11.5.0-11.5.0HF3\",\"11.4.0-11.4.1\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-05T05:58:10", "references": ["https://security.gentoo.org/glsa/201612-27"], "pluginID": "95695", "description": "The remote host is affected by the vulnerability described in GLSA-201612-27 (VirtualBox: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details.\n Impact :\n\n Local attackers could cause a Denial of Service condition, execute arbitrary code, or escalate their privileges.\n Workaround :\n\n There is no known workaround at this time.", "edition": 5, "reporter": "Tenable", "published": "2016-12-12T00:00:00", "title": "GLSA-201612-27 : VirtualBox: Multiple vulnerabilities (Venom)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2015-0427", "CVE-2014-6595", "CVE-2014-0983", "CVE-2015-0418", "CVE-2016-5610", "CVE-2015-3456", "CVE-2014-0981", "CVE-2014-6590", "CVE-2016-5613", "CVE-2015-0377", "CVE-2014-6589", "CVE-2014-6588"], "modified": "2018-09-04T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:virtualbox-bin", "p-cpe:/a:gentoo:linux:virtualbox"], "id": "GENTOO_GLSA-201612-27.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=95695", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201612-27.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95695);\n script_version(\"3.2\");\n script_cvs_date(\"Date: 2018/09/04 13:20:07\");\n\n script_cve_id(\"CVE-2014-0981\", \"CVE-2014-0983\", \"CVE-2014-6588\", \"CVE-2014-6589\", \"CVE-2014-6590\", \"CVE-2014-6595\", \"CVE-2015-0377\", \"CVE-2015-0418\", \"CVE-2015-0427\", \"CVE-2015-3456\", \"CVE-2016-5608\", \"CVE-2016-5610\", \"CVE-2016-5611\", \"CVE-2016-5613\");\n script_xref(name:\"GLSA\", value:\"201612-27\");\n\n script_name(english:\"GLSA-201612-27 : VirtualBox: Multiple vulnerabilities (Venom)\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201612-27\n(VirtualBox: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VirtualBox. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n Local attackers could cause a Denial of Service condition, execute\n arbitrary code, or escalate their privileges.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201612-27\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All VirtualBox users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-emulation/virtualbox-4.3.28'\n All VirtualBox-bin users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose\n '>=app-emulation/virtualbox-bin-4.3.28'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VirtualBox 3D Acceleration Virtual Machine Escape');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:virtualbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:virtualbox-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/11\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-emulation/virtualbox\", unaffected:make_list(\"ge 4.3.28\"), vulnerable:make_list(\"lt 4.3.28\"))) flag++;\nif (qpkg_check(package:\"app-emulation/virtualbox-bin\", unaffected:make_list(\"ge 4.3.28\"), vulnerable:make_list(\"lt 4.3.28\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"VirtualBox\");\n}\n", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:42:31", "references": ["https://support.apple.com/en-us/HT207423", "http://www.nessus.org/u?38dabd46"], "pluginID": "95918", "description": "The remote host is running a version of Mac OS X 10.10.5 or 10.11.6 that is missing a security update. It is therefore, affected by multiple vulnerabilities :\n\n - A denial of service vulnerability exists in the ssl_parse_clienthello_tlsext() function within file ssl/t1_lib.c when handling oversize OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this to cause memory exhaustion in a process linked with the library. (CVE-2016-6304)\n\n - A memory corruption issue exists in Bluetooth due to improper validation of user-supplied input. A local attacker can exploit this, via a specially crafted application, to cause a denial of service condition or the execution of arbitrary code with kernel level privileges. (CVE-2016-7596)\n\n - A NULL pointer dereference flaw exists in the CoreCapture component due to improper validation of user-supplied input. A local attacker can exploit this to cause a denial of service condition. (CVE-2016-7604)", "edition": 7, "reporter": "Tenable", "published": "2016-12-16T00:00:00", "title": "Mac OS X Multiple Vulnerabilities (Security Updates 2016-003 / 2016-007)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "MacOS X Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6304", "CVE-2016-7604", "CVE-2016-7596"], "modified": "2018-07-14T00:00:00", "cpe": ["cpe:/o:apple:mac_os_x"], "id": "MACOSX_SECUPD2016-007.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=95918", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95918);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2016-6304\",\n \"CVE-2016-7596\", \n \"CVE-2016-7604\"\n );\n script_bugtraq_id(\n 93150,\n 94903\n );\n script_xref(name:\"APPLE-SA\", value:\"APPLE-SA-2016-12-13-1\");\n\n script_name(english:\"Mac OS X Multiple Vulnerabilities (Security Updates 2016-003 / 2016-007)\");\n script_summary(english:\"Checks for the presence of Security Update 2016-003 and 2016-007.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a Mac OS X update that fixes multiple\nsecurity vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X 10.10.5 or 10.11.6\nthat is missing a security update. It is therefore, affected by\nmultiple vulnerabilities :\n\n - A denial of service vulnerability exists in the\n ssl_parse_clienthello_tlsext() function within file\n ssl/t1_lib.c when handling oversize OCSP Status Request\n extensions from clients. An unauthenticated, remote\n attacker can exploit this to cause memory exhaustion in\n a process linked with the library. (CVE-2016-6304)\n\n - A memory corruption issue exists in Bluetooth due to\n improper validation of user-supplied input. A local\n attacker can exploit this, via a specially crafted\n application, to cause a denial of service condition or\n the execution of arbitrary code with kernel level\n privileges. (CVE-2016-7596)\n\n - A NULL pointer dereference flaw exists in the\n CoreCapture component due to improper validation of\n user-supplied input. A local attacker can exploit this\n to cause a denial of service condition. (CVE-2016-7604)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT207423\");\n # http://lists.apple.com/archives/security-announce/2016/Dec/msg00003.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?38dabd46\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2016-007 (OS X 10.10.5) / 2016-003 (OS X\n10.11.6) or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\nif (!ereg(pattern:\"Mac OS X 10\\.(10\\.5|11\\.6)([^0-9]|$)\", string:os)) audit(AUDIT_OS_NOT, \"Mac OS X 10.10.5 or Mac OS X 10.11.6\");\n\nif ( \"10.10.5\" >< os) patch = \"2016-007\";\nelse if ( \"10.11.6\" >< os ) patch = \"2016-003\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = egrep(pattern:\"^com\\.apple\\.pkg\\.update\\.(security\\.|os\\.SecUpd).*bom$\", string:packages);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = eregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:44:29", "references": ["https://sweet32.info", "https://www.openssl.org/blog/blog/2016/08/24/sweet32/", "http://www.nessus.org/u?0310cb92"], "pluginID": "107067", "description": "The version of Arista Networks EOS running on the remote device is affected by multiple vulnerabilities in the included OpenSSL library :\n\n - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations.\n An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178)\n\n - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session.\n (CVE-2016-2183)\n\n - A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition.\n (CVE-2016-6304)", "edition": 4, "reporter": "Tenable", "published": "2018-02-28T00:00:00", "title": "Arista Networks EOS 4.17 Multiple Vulnerabilities (SA0024) (SWEET32)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6304"], "modified": "2018-08-09T00:00:00", "cpe": ["cpe:/o:arista:eos"], "id": "ARISTA_EOS_SA0024_4_17.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=107067", "sourceData": "#TRUSTED 4ebc246e91949e32ea270a020158e4cd3a5a7ccca5412553ab0ac197ea010f0775b3ccb2f26154828fc0801ec376c89a5b57cc1625427cbdb43662c77fe9139b5bf9ca6b2075f2b3c0b8cfa93f6636a9f41bb311e53263c395b3aeed6f8e71b3c459e79afad63432454349373471132cc0693e31f2e58016617e2b798248c0b729c253dba9878abff862671bfceafd9fdc5b4b3f2fd4fca5d62aa2b3bcceeb365727ca603f9dba3dfff99b5170eaeca1dd01377f5e5a716efdbbe45f1740d7613c5b2b6526e261b5cb3d81bf6b112ff9c0092cae9ee0ac24a0985db334e0fec675d4c761bc46b7b5f48ab67369d21336f247285a7c30896e83cfccf5a8c186be67fd0bc79e0842743b70eff387cdfa5b70cb5750b35a2d8f4a8f7bff08b6336ae47f3cd2c8b3b7de329536401c3f893e08e29ad49a334345b7dea28c061a6d7597189b1fc44fa43416386fb8a92927413e5cb92f1f1277d6ec6c8b68b418dab540bbf9286fcfb161287c37e7b698fe17608771a2320325177bff9181cddc25e3bac68aee778e084ecead67ed0acf8700444040dfd04efc465ae908e9df501dac79801614a4f6221699774a96f75c1f0831e8d2f593482a2a248df11dc4a8500ccfec0dd47324c6f26b74e63d16897bee3e04f45711a7995d505cdbfc28bc376237c272a1d9a526b8dbea9585cf4027d2f0ad5396b829d73a21923618c81ec8a4\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107067);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/08/09\");\n\n script_cve_id(\n \"CVE-2016-2178\",\n \"CVE-2016-2183\",\n \"CVE-2016-6304\"\n );\n script_bugtraq_id(\n 91081,\n 92630,\n 93150\n );\n\n script_name(english:\"Arista Networks EOS 4.17 Multiple Vulnerabilities (SA0024) (SWEET32)\");\n script_summary(english:\"Checks the Arista Networks EOS version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Arista Networks EOS running on the remote device is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Arista Networks EOS running on the remote device is\naffected by multiple vulnerabilities in the included OpenSSL library :\n\n - An information disclosure vulnerability exists in the\n dsa_sign_setup() function in dsa_ossl.c due to a failure\n to properly ensure the use of constant-time operations.\n An unauthenticated, remote attacker can exploit this,\n via a timing side-channel attack, to disclose DSA key\n information. (CVE-2016-2178)\n\n - A vulnerability exists, known as SWEET32, in the 3DES\n and Blowfish algorithms due to the use of weak 64-bit\n block ciphers by default. A man-in-the-middle attacker\n who has sufficient resources can exploit this\n vulnerability, via a 'birthday' attack, to detect a\n collision that leaks the XOR between the fixed secret\n and a known plaintext, allowing the disclosure of the\n secret text, such as secure HTTPS cookies, and possibly\n resulting in the hijacking of an authenticated session.\n (CVE-2016-2183)\n\n - A flaw exists in the ssl_parse_clienthello_tlsext()\n function in t1_lib.c due to improper handling of overly\n large OCSP Status Request extensions from clients. An\n unauthenticated, remote attacker can exploit this, via\n large OCSP Status Request extensions, to exhaust memory\n resources, resulting in a denial of service condition.\n (CVE-2016-6304)\");\n # https://www.arista.com/en/support/advisories-notices/security-advisories/1749-security-advisory-24\n script_set_attribute( attribute:\"see_also\", value:\"http://www.nessus.org/u?0310cb92\");\n script_set_attribute( attribute:\"see_also\", value:\"https://sweet32.info\");\n script_set_attribute( attribute:\"see_also\", value:\"https://www.openssl.org/blog/blog/2016/08/24/sweet32/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact the vendor for a fixed version. Alternatively, apply the\nrecommended mitigations referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/10/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:arista:eos\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arista_eos_detect.nbin\");\n script_require_keys(\"Host/Arista-EOS/Version\", \"Host/Arista-EOS/eos_shell\");\n\n exit(0);\n}\n\n\ninclude(\"arista_eos_func.inc\");\n\nversion = get_kb_item_or_exit(\"Host/Arista-EOS/Version\");\n\nvmatrix = make_array();\nvmatrix[\"F\"] = make_list(\"4.17.0<=4.17.1.1\");\nvmatrix[\"misc\"] = make_list(\"4.17.1FX-VRRP6LL\");\n\nif (eos_is_affected(vmatrix:vmatrix, version:version))\n{\n security_report_v4(severity:SECURITY_HOLE, port:0, extra:eos_report_get());\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Arista Networks EOS\", version);\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-26T14:40:09", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "https://www.virtualbox.org"], "pluginID": "1361412562310809075", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to multiple security bypass and denial of service\n vulnerabilities.", "edition": 5, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-10-21T00:00:00", "title": "Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Windows)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "modified": "2018-10-25T00:00:00", "id": "OPENVAS:1361412562310809075", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809075", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_virtualbox_mult_sec_bypass_n_dos_vuln_win.nasl 12096 2018-10-25 12:26:02Z asteins $\n#\n# Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809075\");\n script_version(\"$Revision: 12096 $\");\n script_cve_id(\"CVE-2016-5501\", \"CVE-2016-6304\", \"CVE-2016-5610\", \"CVE-2016-5538\",\n \"CVE-2016-5613\", \"CVE-2016-5611\", \"CVE-2016-5608\");\n script_bugtraq_id(93687, 93150, 93711, 93697, 93728, 93744, 93718);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:26:02 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 14:40:28 +0530 (Fri, 21 Oct 2016)\");\n script_name(\"Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to multiple security bypass and denial of service\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to multiple\n unspecified errors in core and openssl component.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain elevated privileges, to partially access and modify data\n and cause partial denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.0.28 and\n prior to 5.1.8 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox version\n 5.0.28 or 5.1.8 or later on Windows.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_sun_virtualbox_detect_win.nasl\");\n script_mandatory_keys(\"Oracle/VirtualBox/Win/Ver\");\n script_xref(name:\"URL\", value:\"https://www.virtualbox.org\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^5\\.0\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.0.28\"))\n {\n fix = \"5.0.28\";\n VULN = TRUE;\n }\n}\n\nelse if(virtualVer =~ \"^5\\.1\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.8\"))\n {\n fix = \"5.1.8\";\n VULN = TRUE;\n }\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:virtualVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:36:57", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "https://www.virtualbox.org"], "pluginID": "1361412562310809076", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to multiple security bypass and denial of service\n vulnerabilities.", "edition": 5, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-10-21T00:00:00", "title": "Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Linux)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "modified": "2018-10-17T00:00:00", "id": "OPENVAS:1361412562310809076", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809076", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_virtualbox_mult_sec_bypass_n_dos_vuln_lin.nasl 11938 2018-10-17 10:08:39Z asteins $\n#\n# Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809076\");\n script_version(\"$Revision: 11938 $\");\n script_cve_id(\"CVE-2016-5501\", \"CVE-2016-6304\", \"CVE-2016-5610\", \"CVE-2016-5538\",\n \"CVE-2016-5613\", \"CVE-2016-5611\", \"CVE-2016-5608\");\n script_bugtraq_id(93687, 93150, 93711, 93697, 93728, 93744, 93718);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-17 12:08:39 +0200 (Wed, 17 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 14:40:28 +0530 (Fri, 21 Oct 2016)\");\n script_name(\"Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to multiple security bypass and denial of service\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to multiple\n unspecified errors in core and openssl component.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain elevated privileges, to partially access and modify data\n and cause partial denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.0.28 and\n prior to 5.1.8 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox version\n 5.0.28 or 5.1.8 or later on Linux.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_sun_virtualbox_detect_lin.nasl\");\n script_mandatory_keys(\"Sun/VirtualBox/Lin/Ver\");\n script_xref(name:\"URL\", value:\"https://www.virtualbox.org\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^5\\.0\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.0.28\"))\n {\n fix = \"5.0.28\";\n VULN = TRUE;\n }\n}\n\nelse if(virtualVer =~ \"^5\\.1\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.8\"))\n {\n fix = \"5.1.8\";\n VULN = TRUE;\n }\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:virtualVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-24T18:37:59", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "https://www.virtualbox.org"], "pluginID": "1361412562310809077", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to multiple security bypass and denial of service\n vulnerabilities.", "edition": 5, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-10-21T00:00:00", "title": "Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Mac OS X)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2016-5610", "CVE-2016-6304", "CVE-2016-5538", "CVE-2016-5613", "CVE-2016-5501"], "modified": "2018-10-24T00:00:00", "id": "OPENVAS:1361412562310809077", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809077", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_virtualbox_mult_sec_bypass_n_dos_vuln_macosx.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Mac OS X)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809077\");\n script_version(\"$Revision: 12051 $\");\n script_cve_id(\"CVE-2016-5501\", \"CVE-2016-6304\", \"CVE-2016-5610\", \"CVE-2016-5538\",\n \"CVE-2016-5613\", \"CVE-2016-5611\", \"CVE-2016-5608\");\n script_bugtraq_id(93687, 93150, 93711, 93697, 93728, 93744, 93718);\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 14:40:28 +0530 (Fri, 21 Oct 2016)\");\n script_name(\"Oracle Virtualbox Multiple Security Bypass And DoS Vulnerabilities (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to multiple security bypass and denial of service\n vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to multiple\n unspecified errors in core and openssl component.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain elevated privileges, to partially access and modify data\n and cause partial denial of service conditions.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.0.28 and\n prior to 5.1.8 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox version\n 5.0.28 or 5.1.8 or later on Mac OS X.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_oracle_virtualbox_detect_macosx.nasl\");\n script_mandatory_keys(\"Oracle/VirtualBox/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"https://www.virtualbox.org\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^5\\.0\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.0.28\"))\n {\n fix = \"5.0.28\";\n VULN = TRUE;\n }\n}\n\nelse if(virtualVer =~ \"^5\\.1\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.8\"))\n {\n fix = \"5.1.8\";\n VULN = TRUE;\n }\n}\n\nif(VULN)\n{\n report = report_fixed_ver(installed_version:virtualVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-24T18:37:29", "references": ["https://support.f5.com/kb/en-us/solutions/public/k/54/sol54211024.html"], "pluginID": "1361412562310140048", "description": "Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.", "edition": 5, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-11-03T00:00:00", "title": "F5 BIG-IP - SOL54211024 - OpenSSL vulnerability CVE-2016-6304", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "F5 Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6304"], "modified": "2018-10-24T00:00:00", "id": "OPENVAS:1361412562310140048", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310140048", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_f5_big_ip_sol54211024.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# F5 BIG-IP - SOL54211024 - OpenSSL vulnerability CVE-2016-6304\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/h:f5:big-ip\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.140048\");\n script_cve_id(\"CVE-2016-6304\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_version(\"$Revision: 12051 $\");\n\n script_name(\"F5 BIG-IP - SOL54211024 - OpenSSL vulnerability CVE-2016-6304\");\n\n script_xref(name:\"URL\", value:\"https://support.f5.com/kb/en-us/solutions/public/k/54/sol54211024.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-03 10:24:33 +0100 (Thu, 03 Nov 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"F5 Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_f5_big_ip_version.nasl\");\n script_require_ports(\"Services/ssh\", 22);\n script_mandatory_keys(\"f5/big_ip/version\", \"f5/big_ip/active_modules\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"f5.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\ncheck_f5['LTM'] = make_array( 'affected', '12.0.0-12.1.1;11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;11.2.1;10.2.1-10.2.4;');\n\ncheck_f5['AAM'] = make_array( 'affected', '12.0.0-12.1.1;11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;');\n\ncheck_f5['AFM'] = make_array( 'affected', '12.0.0-12.1.1;11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;');\n\ncheck_f5['AVR'] = make_array( 'affected', '12.0.0-12.1.1;11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;11.2.1;');\n\ncheck_f5['APM'] = make_array( 'affected', '12.0.0-12.1.1;11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;11.2.1;10.2.1-10.2.4;');\n\ncheck_f5['ASM'] = make_array( 'affected', '12.0.0-12.1.1;11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;11.2.1;10.2.1-10.2.4;');\n\ncheck_f5['GTM'] = make_array( 'affected', '11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;11.2.1;10.2.1-10.2.4;');\n\ncheck_f5['LC'] = make_array( 'affected', '12.0.0-12.1.1;11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;11.2.1;10.2.1-10.2.4;');\n\ncheck_f5['PEM'] = make_array( 'affected', '12.0.0-12.1.1;11.5.2-11.6.1;11.5.1_HF3-HF11;11.5.0_HF4-HF7;',\n 'unaffected', '11.5.1-11.5.1_HF2;11.5.0-11.5.0_HF3;11.4.0-11.4.1;');\n\nif( report = is_f5_vulnerable( ca:check_f5, version:version ) )\n{\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-24T18:37:44", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "https://www.virtualbox.org"], "pluginID": "1361412562310809080", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to a privilege escalation vulnerability.", "edition": 5, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-10-21T00:00:00", "title": "Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Mac OS X)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5605"], "modified": "2018-10-24T00:00:00", "id": "OPENVAS:1361412562310809080", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809080", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_virtualbox_vrde_priv_esc_vuln_macosx.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Mac OS X)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809080\");\n script_version(\"$Revision: 12051 $\");\n script_cve_id(\"CVE-2016-5605\");\n script_bugtraq_id(93685);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 14:40:28 +0530 (Fri, 21 Oct 2016)\");\n script_name(\"Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to a privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an unspecified error in\n VirtualBox Remote Desktop Extension (VRDE) sub component.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to access and modify data.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.1.4 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox version\n 5.1.4 or later on Mac OS X.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_oracle_virtualbox_detect_macosx.nasl\");\n script_mandatory_keys(\"Oracle/VirtualBox/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"https://www.virtualbox.org\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^5\\.1\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.4\"))\n {\n report = report_fixed_ver(installed_version:virtualVer, fixed_version:\"5.1.4\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-30T12:37:58", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "https://www.virtualbox.org"], "pluginID": "1361412562310809079", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to a privilege escalation vulnerability.", "edition": 5, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-10-21T00:00:00", "title": "Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Linux)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5605"], "modified": "2018-10-29T00:00:00", "id": "OPENVAS:1361412562310809079", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809079", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_virtualbox_vrde_priv_esc_vuln_lin.nasl 12149 2018-10-29 10:48:30Z asteins $\n#\n# Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809079\");\n script_version(\"$Revision: 12149 $\");\n script_cve_id(\"CVE-2016-5605\");\n script_bugtraq_id(93685);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-29 11:48:30 +0100 (Mon, 29 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 14:40:28 +0530 (Fri, 21 Oct 2016)\");\n script_name(\"Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to a privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an unspecified error in\n VirtualBox Remote Desktop Extension (VRDE) sub component.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to access and modify data.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.1.4 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox version\n 5.1.4 or later on Linux.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_sun_virtualbox_detect_lin.nasl\");\n script_mandatory_keys(\"Sun/VirtualBox/Lin/Ver\");\n script_xref(name:\"URL\", value:\"https://www.virtualbox.org\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^5\\.1\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.4\"))\n {\n report = report_fixed_ver(installed_version:virtualVer, fixed_version:\"5.1.4\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-30T12:38:31", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "https://www.virtualbox.org"], "pluginID": "1361412562310809078", "description": "This host is installed with Oracle VM\n VirtualBox and is prone to a privilege escalation vulnerability.", "edition": 5, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-10-21T00:00:00", "title": "Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Windows)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5605"], "modified": "2018-10-29T00:00:00", "id": "OPENVAS:1361412562310809078", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809078", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_oracle_virtualbox_vrde_priv_esc_vuln_win.nasl 12149 2018-10-29 10:48:30Z asteins $\n#\n# Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:vm_virtualbox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809078\");\n script_version(\"$Revision: 12149 $\");\n script_cve_id(\"CVE-2016-5605\");\n script_bugtraq_id(93685);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-29 11:48:30 +0100 (Mon, 29 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-21 14:40:28 +0530 (Fri, 21 Oct 2016)\");\n script_name(\"Oracle Virtualbox VRDE Privilege Escalation Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Oracle VM\n VirtualBox and is prone to a privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an unspecified error in\n VirtualBox Remote Desktop Extension (VRDE) sub component.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to access and modify data.\");\n\n script_tag(name:\"affected\", value:\"VirtualBox versions prior to 5.1.4 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Oracle VirtualBox version\n 5.1.4 or later on Windows.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\");\n\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_sun_virtualbox_detect_win.nasl\");\n script_mandatory_keys(\"Oracle/VirtualBox/Win/Ver\");\n script_xref(name:\"URL\", value:\"https://www.virtualbox.org\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!virtualVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(virtualVer =~ \"^5\\.1\\.\")\n{\n if(version_is_less(version:virtualVer, test_version:\"5.1.4\"))\n {\n report = report_fixed_ver(installed_version:virtualVer, fixed_version:\"5.1.4\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-11-14T14:50:34", "references": ["https://www.openssl.org/news/secadv/20160922.txt"], "pluginID": "1361412562310107051", "description": "This host is running OpenSSL and prone to denial of service vulnerability.", "edition": 6, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-09-26T00:00:00", "title": "OpenSSL OCSP Status Request extension unbounded memory growth Vulnerability (Windows)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Denial of Service", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6304"], "modified": "2018-11-13T00:00:00", "id": "OPENVAS:1361412562310107051", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107051", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_openssl_oscp_dos_win.nasl 12338 2018-11-13 14:51:17Z asteins $\n# OpenSSL OCSP Status Request extension unbounded memory growth vulnerability (Windows)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa..at..greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openssl:openssl\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107051\");\n script_version(\"$Revision: 12338 $\");\n script_cve_id(\"CVE-2016-6304\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-13 15:51:17 +0100 (Tue, 13 Nov 2018) $\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"creation_date\", value:\"2016-09-26 06:40:16 +0200 (Mon, 26 Sep 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_name(\"OpenSSL OCSP Status Request extension unbounded memory growth Vulnerability (Windows)\");\n\n script_xref(name:\"URL\", value:\"https://www.openssl.org/news/secadv/20160922.txt\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_openssl_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"OpenSSL/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"summary\", value:\"This host is running OpenSSL and prone to denial of service vulnerability.\");\n script_tag(name:\"insight\", value:\"OpenSSL suffers from the possibility of DoS attack through sending a large OCSP Status Request extensions which lead to unbounded memory growth on the server which in turn lead to denial of service.\");\n script_tag(name:\"impact\", value:\"Successful exploitation could result in service crash.\");\n script_tag(name:\"affected\", value:\"OpenSSL 1.1.0 and previous versions.\");\n script_tag(name:\"solution\", value:\"OpenSSL 1.1.0 users should upgrade to 1.1.0a. OpenSSL 1.0.2 users should upgrade to 1.0.2i. OpenSSL 1.0.1 users should upgrade to 1.0.1u.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!sslVer = get_app_version(cpe:CPE))\n{\n exit(0);\n}\n\nif(sslVer =~ \"^(1\\.1\\.0)\" && version_is_less(version:sslVer, test_version:\"1.1.0a\"))\n{\n fix = \"1.1.0a\";\n VUL = TRUE;\n}\nelse if (sslVer =~ \"^(1\\.0\\.2)\" && version_is_less( version:sslVer, test_version:\"1.0.2i\"))\n{\n fix = \"1.0.2i\";\n VUL = TRUE;\n}\nelse if (sslVer =~ \"^(1\\.0\\.1)\" && version_is_less( version:sslVer, test_version:\"1.0.1u\"))\n{\n fix = \"1.0.1u\";\n VUL = TRUE;\n}\n\nif (VUL)\n{\n report = report_fixed_ver(installed_version:sslVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:37:18", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"], "pluginID": "1361412562310809377", "description": "This host is running Oracle MySQL and is\n prone to an unspecified vulnerability.", "edition": 7, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-10-19T00:00:00", "title": "Oracle MySQL Security Updates (oct2016-2881722) 04 - Linux", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Databases", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6304"], "modified": "2018-10-19T00:00:00", "id": "OPENVAS:1361412562310809377", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809377", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_mysql_oct2016-2881722_04_lin.nasl 11989 2018-10-19 11:25:26Z cfischer $\n#\n# Oracle MySQL Security Updates (oct2016-2881722) 04 - Linux\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:oracle:mysql\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809377\");\n script_version(\"$Revision: 11989 $\");\n script_cve_id(\"CVE-2016-6304\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 13:25:26 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-19 15:49:26 +0530 (Wed, 19 Oct 2016)\");\n script_name(\"Oracle MySQL Security Updates (oct2016-2881722) 04 - Linux\");\n\n script_tag(name:\"summary\", value:\"This host is running Oracle MySQL and is\n prone to an unspecified vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to improper validation of\n large OCSP Status Request extensions.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of this\n vulnerability will allow remote attackers to cause a denial of service\n (memory consumption).\");\n\n script_tag(name:\"affected\", value:\"Oracle Mysql version 5.6.33 and earlier,\n 5.7.15 and earlier on Linux\");\n\n script_tag(name:\"solution\", value:\"Apply the patch from the referenced advisory.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_xref(name:\"URL\", value:\"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Databases\");\n script_dependencies(\"mysql_version.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"MySQL/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/mysql\", 3306);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!sqlPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!mysqlVer = get_app_version(cpe:CPE, port:sqlPort)){\n exit(0);\n}\n\nif(version_in_range(version:mysqlVer, test_version:\"5.6\", test_version2:\"5.6.33\") ||\n version_in_range(version:mysqlVer, test_version:\"5.7\", test_version2:\"5.7.15\"))\n{\n report = report_fixed_ver(installed_version:mysqlVer, fixed_version: \"Apply the patch\");\n security_message(data:report, port:sqlPort);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-25T16:16:06", "references": ["https://www.openssl.org/news/secadv/20160922.txt"], "pluginID": "1361412562310107050", "description": "This host is running OpenSSL and prone to denial of service vulnerability.", "edition": 6, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-09-26T00:00:00", "title": "OpenSSL OCSP Status Request extension unbounded memory growth Vulnerability (Linux)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Denial of Service", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-6304"], "modified": "2018-09-25T00:00:00", "id": "OPENVAS:1361412562310107050", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107050", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_openssl_oscp_dos_lin.nasl 11596 2018-09-25 09:49:46Z asteins $\n# OpenSSL OCSP Status Request extension unbounded memory growth Vulnerability (Linux)\n#\n# Authors:\n# Tameem Eissa <tameem.eissa..at..greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:openssl:openssl\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107050\");\n script_version(\"$Revision: 11596 $\");\n script_cve_id(\"CVE-2016-6304\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-25 11:49:46 +0200 (Tue, 25 Sep 2018) $\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"creation_date\", value:\"2016-09-26 06:40:16 +0200 (Mon, 26 Sep 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n\n script_name(\"OpenSSL OCSP Status Request extension unbounded memory growth Vulnerability (Linux)\");\n\n script_xref(name:\"URL\", value:\"https://www.openssl.org/news/secadv/20160922.txt\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_openssl_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"OpenSSL/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"summary\", value:\"This host is running OpenSSL and prone to denial of service vulnerability.\");\n script_tag(name:\"insight\", value:\"OpenSSL suffers from the possibility of DoS attack through sending a large OCSP Status Request extensions which lead to unbounded memory growth on the server which in turn lead to denial of service.\");\n script_tag(name:\"impact\", value:\"Successful exploitation could result in service crash.\");\n script_tag(name:\"affected\", value:\"OpenSSL 1.1.0 and previous versions.\");\n script_tag(name:\"solution\", value:\"OpenSSL 1.1.0 users should upgrade to 1.1.0a. OpenSSL 1.0.2 users should upgrade to 1.0.2i. OpenSSL 1.0.1 users should upgrade to 1.0.1u.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!sslVer = get_app_version(cpe:CPE))\n{\n exit(0);\n}\n\nif(sslVer =~ \"^(1\\.1\\.0)\" && version_is_less(version:sslVer, test_version:\"1.1.0a\"))\n{\n fix = \"1.1.0a\";\n VUL = TRUE;\n}\nelse if (sslVer =~ \"^(1\\.0\\.2)\" && version_is_less( version:sslVer, test_version:\"1.0.2i\"))\n{\n fix = \"1.0.2i\";\n VUL = TRUE;\n}\nelse if (sslVer =~ \"^(1\\.0\\.1)\" && version_is_less( version:sslVer, test_version:\"1.0.1u\"))\n{\n fix = \"1.0.1u\";\n VUL = TRUE;\n}\n\nif (VUL)\n{\n report = report_fixed_ver(installed_version:sslVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "cve": [{"lastseen": "2017-07-29T10:54:43", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "http://www.securitytracker.com/id/1037053", "http://www.securityfocus.com/bid/93697"], "edition": 2, "description": "Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality, integrity, and availability via vectors related to Core, a different vulnerability than CVE-2016-5501.", "reporter": "NVD", "published": "2016-10-25T10:30:14", "type": "cve", "title": "CVE-2016-5538", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-5538"], "scanner": [], "modified": "2017-07-28T21:34:10", "cpe": ["cpe:/a:oracle:vm_virtualbox:5.0.27", "cpe:/a:oracle:vm_virtualbox:5.1.7"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5538", "id": "CVE-2016-5538", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-29T10:54:44", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "http://www.securitytracker.com/id/1037053", "http://www.securityfocus.com/bid/93711", "https://security.gentoo.org/glsa/201612-27"], "edition": 3, "description": "Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality, integrity, and availability via vectors related to Core.", "reporter": "NVD", "published": "2016-10-25T10:31:23", "type": "cve", "title": "CVE-2016-5610", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-5610"], "scanner": [], "modified": "2017-07-28T21:34:13", "cpe": ["cpe:/a:oracle:vm_virtualbox:5.1.6", "cpe:/a:oracle:vm_virtualbox:5.0.26"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5610", "id": "CVE-2016-5610", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-29T10:54:43", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "http://www.securitytracker.com/id/1037053", "http://www.securityfocus.com/bid/93718", "https://security.gentoo.org/glsa/201612-27"], "edition": 3, "description": "Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect availability via vectors related to Core, a different vulnerability than CVE-2016-5613.", "reporter": "NVD", "published": "2016-10-25T10:31:21", "type": "cve", "title": "CVE-2016-5608", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-5608"], "scanner": [], "modified": "2017-07-28T21:34:13", "cpe": ["cpe:/a:oracle:vm_virtualbox:5.1.6", "cpe:/a:oracle:vm_virtualbox:5.0.26"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5608", "id": "CVE-2016-5608", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-29T10:54:44", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "http://www.securitytracker.com/id/1037053", "http://www.securityfocus.com/bid/93728", "https://security.gentoo.org/glsa/201612-27"], "edition": 3, "description": "Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect availability via vectors related to Core, a different vulnerability than CVE-2016-5608.", "reporter": "NVD", "published": "2016-10-25T10:31:28", "type": "cve", "title": "CVE-2016-5613", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-5613"], "scanner": [], "modified": "2017-07-28T21:34:14", "cpe": ["cpe:/a:oracle:vm_virtualbox:5.1.6", "cpe:/a:oracle:vm_virtualbox:5.0.26"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5613", "id": "CVE-2016-5613", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-29T10:54:44", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "http://www.securityfocus.com/bid/93744", "http://www.securitytracker.com/id/1037053", "https://security.gentoo.org/glsa/201612-27"], "edition": 3, "description": "Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality via vectors related to Core.", "reporter": "NVD", "published": "2016-10-25T10:31:25", "type": "cve", "title": "CVE-2016-5611", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-5611"], "scanner": [], "modified": "2017-07-28T21:34:13", "cpe": ["cpe:/a:oracle:vm_virtualbox:5.1.6", "cpe:/a:oracle:vm_virtualbox:5.0.26"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5611", "id": "CVE-2016-5611", "cvss": {"score": 2.1, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-29T10:54:43", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "http://www.securitytracker.com/id/1037053", "http://www.securityfocus.com/bid/93685"], "edition": 2, "description": "Unspecified vulnerability in the Oracle VM VirtualBox component before 5.1.4 in Oracle Virtualization allows remote attackers to affect confidentiality and integrity via vectors related to VRDE.", "reporter": "NVD", "published": "2016-10-25T10:31:17", "type": "cve", "title": "CVE-2016-5605", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-5605"], "scanner": [], "modified": "2017-07-28T21:34:13", "cpe": ["cpe:/a:oracle:vm_virtualbox:5.1.2"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5605", "id": "CVE-2016-5605", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-29T10:54:43", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "http://www.securitytracker.com/id/1037053", "http://www.securityfocus.com/bid/93687"], "edition": 2, "description": "Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality, integrity, and availability via vectors related to Core, a different vulnerability than CVE-2016-5538.", "reporter": "NVD", "published": "2016-10-25T10:29:36", "type": "cve", "title": "CVE-2016-5501", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-5501"], "scanner": [], "modified": "2017-07-28T21:34:10", "cpe": ["cpe:/a:oracle:vm_virtualbox:5.0.27", "cpe:/a:oracle:vm_virtualbox:5.1.7"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5501", "id": "CVE-2016-5501", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-20T11:10:29", "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "https://access.redhat.com/errata/RHSA-2017:1802", "http://www.splunk.com/view/SP-CAAAPSV", "https://bto.bluecoat.com/security-advisory/sa132", "https://access.redhat.com/errata/RHSA-2017:1658", "https://kc.mcafee.com/corporate/index?page=content&id=SB10171", "https://git.openssl.org/?p=openssl.git;a=commit;h=2c0d295e26306e15a92eb23a84a1802005c1c137", "https://www.tenable.com/security/tns-2016-20", "http://rhn.redhat.com/errata/RHSA-2017-1659.html", "https://access.redhat.com/errata/RHSA-2017:1413", "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759", "https://access.redhat.com/errata/RHSA-2017:1414", "http://rhn.redhat.com/errata/RHSA-2016-1940.html", "http://rhn.redhat.com/errata/RHSA-2016-2802.html", "https://www.tenable.com/security/tns-2016-21", "https://access.redhat.com/errata/RHSA-2017:2493", "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.asc", "https://security.gentoo.org/glsa/201612-16", "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "http://www.securityfocus.com/bid/93150", "http://www.splunk.com/view/SP-CAAAPUE", "http://www-01.ibm.com/support/docview.wss?uid=swg21995039", "http://rhn.redhat.com/errata/RHSA-2017-1415.html", "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", "http://www.securitytracker.com/id/1036878", "http://www.securitytracker.com/id/1037640", "https://access.redhat.com/errata/RHSA-2017:2494", "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/", "https://www.openssl.org/news/secadv/20160922.txt", "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", "https://access.redhat.com/errata/RHSA-2017:1801", "http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html", "https://www.tenable.com/security/tns-2016-16"], "description": "Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.", "edition": 11, "reporter": "NVD", "published": "2016-09-26T15:59:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "cve", "title": "CVE-2016-6304", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2016-6304"], "scanner": [], "cpe": ["cpe:/a:openssl:openssl:1.0.2h", "cpe:/a:openssl:openssl:1.0.1a", "cpe:/a:openssl:openssl:1.1.0", "cpe:/a:openssl:openssl:1.0.1", "cpe:/a:openssl:openssl:1.0.1:beta2", "cpe:/a:openssl:openssl:1.0.1e", "cpe:/a:openssl:openssl:1.0.2:beta1", "cpe:/a:openssl:openssl:1.0.1d", "cpe:/a:openssl:openssl:1.0.1o", "cpe:/a:openssl:openssl:1.0.1t", "cpe:/a:openssl:openssl:1.0.1g", "cpe:/o:novell:suse_linux_enterprise_module_for_web_scripting:12.0", "cpe:/a:openssl:openssl:1.0.1r", "cpe:/a:openssl:openssl:1.0.2", "cpe:/a:openssl:openssl:1.0.1q", "cpe:/a:openssl:openssl:1.0.2a", "cpe:/a:openssl:openssl:1.0.1b", "cpe:/a:openssl:openssl:1.0.2:beta2", "cpe:/a:openssl:openssl:1.0.1h", "cpe:/a:openssl:openssl:1.0.2c", "cpe:/a:openssl:openssl:1.0.2b", "cpe:/a:openssl:openssl:1.0.1:beta3", "cpe:/a:openssl:openssl:1.0.2f", "cpe:/a:openssl:openssl:1.0.1c", "cpe:/a:openssl:openssl:1.0.2:beta3", "cpe:/a:openssl:openssl:1.0.1i", "cpe:/a:openssl:openssl:1.0.1m", "cpe:/a:openssl:openssl:1.0.1n", "cpe:/a:openssl:openssl:1.0.1:beta1", "cpe:/a:openssl:openssl:1.0.2d", "cpe:/a:nodejs:node.js:6.6.0", "cpe:/a:openssl:openssl:1.0.1j", "cpe:/a:openssl:openssl:1.0.1f", "cpe:/a:openssl:openssl:1.0.1p", "cpe:/a:openssl:openssl:1.0.2e", "cpe:/a:openssl:openssl:1.0.1s", "cpe:/a:openssl:openssl:1.0.1l", "cpe:/a:openssl:openssl:1.0.1k"], "modified": "2018-04-19T21:29:16", "id": "CVE-2016-6304", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "f5": [{"lastseen": "2018-04-19T21:23:57", "references": [], "edition": 1, "description": "\nF5 Product Development has assigned IDs 621935 (BIG-IP) and ID 621413 (BIG-IQ and F5 iWorkflow) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H54211024 on the **Diagnostics** &gt; **Identified** &gt; **High** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 - 12.1.2 \n11.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | High | The **big3d **data collection agent \nBIG-IP AAM | 12.0.0 - 12.1.2 \n11.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 | High | The **big3d **data collection agent \nBIG-IP AFM | 12.0.0 - 12.1.2 \n11.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 | High | The **big3d **data collection agent \nBIG-IP Analytics | 12.0.0 - 12.1.2 \n11.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 \n11.2.1 | High | The **big3d **data collection agent \nBIG-IP APM | 12.0.0 - 12.1.2 \n11.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | High | The **big3d **data collection agent \nBIG-IP ASM | 12.0.0 - 12.1.2 \n111.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | High | The **big3d **data collection agent \nBIG-IP DNS | 12.0.0 - 12.1.2 | 13.0.0 \n12.1.2 HF1 | High | The **big3d **data collection agent \nBIG-IP Edge Gateway | None | 11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP GTM | 11.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | High | The **big3d **data collection agent \nBIG-IP Link Controller | 12.0.0 - 12.1.2 \n11.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 \n11.2.1 \n10.2.1 - 10.2.4 | High | The **big3d **data collection agent \nBIG-IP PEM | 12.0.0 - 12.1.2 \n11.5.2 - 11.5.5 \n11.6.0 - 11.6.1 \n11.5.1 HF3 - HF11 \n11.5.0 HF4 - HF7 | 13.0.0 \n12.1.2 HF1 \n11.6.2 \n11.5.6 \n11.5.1 - 11.5.1 HF2 \n11.5.0 - 11.5.0 HF3 \n11.4.0 - 11.4.1 | High | The **big3d **data collection agent \nBIG-IP PSM | None | 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP WebAccelerator | None | 11.2.1 \n10.2.1 - 10.2.4 | Not vulnerable | None \nBIG-IP WebSafe | 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1 | 13.0.0 \n12.1.2 HF1 \n11.6.2 | High | The **big3d **data collection agent \nARX | None | 6.2.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.1.1 | Not vulnerable | None \nBIG-IQ Cloud | 4.4.0 - 4.5.0 | 4.2.0 - 4.3.0 | High | The **webd** process \nBIG-IQ Device | 4.4.0 - 4.5.0 | 4.2.0 - 4.3.0 | High | The **webd** process \nBIG-IQ Security | 4.4.0 - 4.5.0 | 4.2.0 - 4.3.0 | High | The **webd** process \nBIG-IQ ADC | 4.5.0 | None | High | The **webd** process \nBIG-IQ Centralized Management | 5.0.0 - 5.1.0 \n4.6.0 | 5.2.0 - 5.4.0 | High | The **webd** process \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | High | The **webd** process \nF5 iWorkflow | 2.0.0 - 2.3.0 | None | Medium | The **webd** process \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you can restrict network access to the **big3d** network port, TCP 4353.\n\n**Impact of action:** TCP port 4353 is used to transfer sync-group data between BIG-IP devices. You should test any changes to ensure compatibility in your environment.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K13703: Overview of big3d version management](<https://support.f5.com/csp/article/K13703>)\n * [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>)\n", "reporter": "f5", "published": "2016-11-02T22:07:00", "type": "f5", "title": "OpenSSL vulnerability CVE-2016-6304", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2016-6304"], "modified": "2018-04-16T19:10:00", "href": "https://support.f5.com/csp/article/K54211024", "id": "F5:K54211024", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-12-03T01:27:33", "references": ["https://support.f5.com/kb/en-us/solutions/public/13000/000/sol13092.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13703.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to SOL21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems.\n\nMitigation\n\nTo mitigate this vulnerability, you can restrict network access to the **big3d** network port, TCP 4353.\n\n**Impact of action:** TCP port 4353 is used to transfer sync-group data between BIG-IP devices. Any changes should be tested to ensure compatibility in your environment.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL13703: Overview of big3d version management\n * SOL13092: Overview of securing access to the BIG-IP system\u00c2 \n", "reporter": "f5", "published": "2016-11-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "f5", "title": "SOL54211024 - OpenSSL vulnerability CVE-2016-6304", "bulletinFamily": "software", "affectedSoftware": [{"name": "BIG-IP LTM", "version": "HF11", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "11.6.1", "operator": "le"}, {"name": "BIG-IP PEM", "version": "HF11", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "HF7", "operator": "le"}, {"name": "BIG-IP AFM", "version": "HF11", "operator": "le"}, {"name": "BIG-IP WebSafe", "version": "11.6.1", "operator": "le"}, {"name": "BIG-IP AFM", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "HF11", "operator": "le"}, {"name": "BIG-IP WebSafe", "version": "12.1.0", "operator": "le"}, {"name": "BIG-IQ Cloud and Orchestration", "version": "1.0.0", "operator": "le"}, {"name": "BIG-IP ASM", "version": "HF7", "operator": "le"}, {"name": "BIG-IP APM", "version": "11.6.1", "operator": "le"}, {"name": "BIG-IP PEM", "version": "11.6.1", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "HF7", "operator": "le"}, {"name": "BIG-IP AAM", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "HF11", "operator": "le"}, {"name": "BIG-IP LTM", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "HF11", "operator": "le"}, {"name": "BIG-IP GTM", "version": "11.6.1", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP AFM", "version": "HF7", "operator": "le"}, {"name": "BIG-IP DNS", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP APM", "version": "HF7", "operator": "le"}, {"name": "BIG-IP ASM", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP AAM", "version": "11.6.1", "operator": "le"}, {"name": "F5 iWorkflow", "version": "2.0.1", "operator": "le"}, {"name": "BIG-IQ Centralized Management", "version": "5.1.0", "operator": "le"}, {"name": "BIG-IQ Device", "version": "4.5.0", "operator": "le"}, {"name": "BIG-IQ Cloud", "version": "4.5.0", "operator": "le"}, {"name": "BIG-IP PEM", "version": "HF7", "operator": "le"}, {"name": "BIG-IP AAM", "version": "HF7", "operator": "le"}, {"name": "BIG-IP APM", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP GTM", "version": "HF7", "operator": "le"}, {"name": "BIG-IP PEM", "version": "12.1.1", "operator": "le"}, {"name": "BIG-IP LTM", "version": "11.6.1", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "11.6.1", "operator": "le"}, {"name": "BIG-IP AAM", "version": "HF11", "operator": "le"}, {"name": "BIG-IP LTM", "version": "HF7", "operator": "le"}, {"name": "BIG-IP ASM", "version": "HF11", "operator": "le"}, {"name": "BIG-IQ ADC", "version": "4.5.0", "operator": "le"}, {"name": "BIG-IP AFM", "version": "11.6.1", "operator": "le"}, {"name": "BIG-IQ Centralized Management", "version": "4.6.0", "operator": "le"}, {"name": "BIG-IQ Security", "version": "4.5.0", "operator": "le"}, {"name": "BIG-IP GTM", "version": "HF11", "operator": "le"}, {"name": "BIG-IP ASM", "version": "11.6.1", "operator": "le"}], "cvelist": ["CVE-2016-6304"], "modified": "2016-11-11T00:00:00", "href": "http://support.f5.com/kb/en-us/solutions/public/k/54/sol54211024.html", "id": "SOL54211024", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-11-18T01:26:00", "references": ["https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Supplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "reporter": "f5", "published": "2016-09-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "f5", "title": "SOL22071504 - September 2016 OpenSSL security vulnerability announcement", "bulletinFamily": "software", "affectedSoftware": [{"name": "CVE-2016-6329", "version": "2016", "operator": "le"}, {"name": "CVE-2016-2180", "version": "2016", "operator": "le"}, {"name": "CVE-2016-6308", "version": "2016", "operator": "le"}, {"name": "CVE-2016-2177", "version": "2016", "operator": "le"}, {"name": "CVE-2016-2183", "version": "2016", "operator": "le"}, {"name": "CVE-2016-6302", "version": "2016", "operator": "le"}, {"name": "CVE-2016-6307", "version": "2016", "operator": "le"}, {"name": "CVE-2016-2182", "version": "2016", "operator": "le"}, {"name": "CVE-2016-2178", "version": "2016", "operator": "le"}, {"name": "CVE-2016-6304", "version": "2016", "operator": "le"}, {"name": "CVE-2016-6305", "version": "2016", "operator": "le"}, {"name": "CVE-2016-6306", "version": "2016", "operator": "le"}, {"name": "CVE-2016-2179", "version": "2016", "operator": "le"}, {"name": "CVE-2016-6303", "version": "2016", "operator": "le"}, {"name": "CVE-2016-2181", "version": "2016", "operator": "le"}], "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6329", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6305", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-11-17T00:00:00", "id": "SOL22071504", "href": "http://support.f5.com/kb/en-us/solutions/public/k/22/sol22071504.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "openssl": [{"lastseen": "2016-10-10T13:22:34", "references": [], "edition": 3, "description": "A malicious client can send an excessively large OCSP Status Request extension. If that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server. This will eventually lead to a Denial Of Service attack through memory exhaustion. Servers with a default configuration are vulnerable even if they do not support OCSP. Builds using the \"no-ocsp\" build time option are not affected. Servers using OpenSSL versions prior to 1.0.1g are not vulnerable in a default configuration, instead only if an application explicitly enables OCSP stapling support. Reported by Shi Lei (Gear Team, Qihoo 360 Inc.) on 29th August 2016.", "reporter": "OpenSSL", "published": "2016-09-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "openssl", "title": "Vulnerability in OpenSSL (CVE-2016-6304)", "bulletinFamily": "software", "affectedSoftware": [{"name": "openssl", "version": "1.0.2g", "operator": "eq"}, {"name": "openssl", "version": "1.0.1q", "operator": "eq"}, {"name": "openssl", "version": "1.0.1m", "operator": "eq"}, {"name": "openssl", "version": "1.0.1h", "operator": "eq"}, {"name": "openssl", "version": "1.0.1", "operator": "eq"}, {"name": "openssl", "version": "1.0.1r", "operator": "eq"}, {"name": "openssl", "version": "1.0.2h", "operator": "eq"}, {"name": "openssl", "version": "1.0.1g", "operator": "eq"}, {"name": "openssl", "version": "1.0.1i", "operator": "eq"}, {"name": "openssl", "version": "1.0.1d", "operator": "eq"}, {"name": "openssl", "version": "1.0.1s", "operator": "eq"}, {"name": "openssl", "version": "1.1.0", "operator": "eq"}, {"name": "openssl", "version": "1.0.2e", "operator": "eq"}, {"name": "openssl", "version": "1.0.2b", "operator": "eq"}, {"name": "openssl", "version": "1.0.1a", "operator": "eq"}, {"name": "openssl", "version": "1.0.1n", "operator": "eq"}, {"name": "openssl", "version": "1.0.1j", "operator": "eq"}, {"name": "openssl", "version": "1.0.2d", "operator": "eq"}, {"name": "openssl", "version": "1.0.1c", "operator": "eq"}, {"name": "openssl", "version": "1.0.1o", "operator": "eq"}, {"name": "openssl", "version": "1.0.1e", "operator": "eq"}, {"name": "openssl", "version": "1.0.2c", "operator": "eq"}, {"name": "openssl", "version": "1.0.1t", "operator": "eq"}, {"name": "openssl", "version": "1.0.2f", "operator": "eq"}, {"name": "openssl", "version": "1.0.1l", "operator": "eq"}, {"name": "openssl", "version": "1.0.1b", "operator": "eq"}, {"name": "openssl", "version": "1.0.1f", "operator": "eq"}, {"name": "openssl", "version": "1.0.2a", "operator": "eq"}, {"name": "openssl", "version": "1.0.1k", "operator": "eq"}, {"name": "openssl", "version": "1.0.1p", "operator": "eq"}, {"name": "openssl", "version": "1.0.2", "operator": "eq"}], "cvelist": ["CVE-2016-6304"], "modified": "2016-09-22T00:00:00", "id": "OPENSSL:CVE-2016-6304", "href": "https://www.openssl.org/news/vulnerabilities.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-04-04T17:29:11", "references": [], "description": "Multiple memory leaks in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.The exploit allows to take advantage of this vulnerability. When successfully exploited, the vulnerability causes the server to crash or slow down.#### Usage Info\nSee description inserted into the exploit code or http://www.dailymotion.com/video/x4yewbs_cve-2016-6304_tech\n\nThis is private exploit. You can buy it at https://0day.today", "edition": 1, "reporter": "teneciousD", "published": "2016-10-21T00:00:00", "title": "OpenSSL OCSP Status Request Extension Unbounded Memory Growth Vulnerability", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-6304"], "modified": "2016-10-21T00:00:00", "href": "https://0day.today/exploit/description/25942", "id": "1337DAY-ID-25942", "sourceData": "", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": ""}], "redhat": [{"lastseen": "2016-11-17T21:23:00", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "s390x", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-42.el6_7.6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "s390x", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-42.el6_7.6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-42.el6_7.6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.13.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "i686", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.0-20.el6_2.9.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "x86_64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-30.el6_6.13.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-1.0.0-20.el6_2.9.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-16.el6_5.17.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "s390x", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-42.el6_7.6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "x86_64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-42.el6_7.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "ppc64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-42.el6_7.6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "i686", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.0-27.el6_4.6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "src", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.13.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-30.el6_6.13.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.13.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-1.0.0-27.el6_4.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "x86_64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.0-27.el6_4.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "ppc64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-42.el6_7.6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "i686", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-16.el6_5.17.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "x86_64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.0-20.el6_2.9.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "src", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-42.el6_7.6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "s390x", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-42.el6_7.6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "s390", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-42.el6_7.6.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-42.el6_7.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "ppc", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-42.el6_7.6.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-16.el6_5.17.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.0-20.el6_2.9.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-30.el6_6.13.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "ppc", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-42.el6_7.6.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "src", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-16.el6_5.17.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-1.0.0-27.el6_4.6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "x86_64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-30.el6_6.13.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "ppc64", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-42.el6_7.6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-42.el6_7.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "s390", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-42.el6_7.6.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "i686", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-42.el6_7.6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.0-27.el6_4.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "ppc64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-42.el6_7.6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "s390x", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-42.el6_7.6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "x86_64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-16.el6_5.17.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "i686", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.0-20.el6_2.9.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "src", "packageName": "openssl", "packageFilename": "openssl-1.0.0-27.el6_4.6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "x86_64", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.0-20.el6_2.9.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "s390", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-42.el6_7.6.s390.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-16.el6_5.17.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "i686", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-30.el6_6.13.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "i686", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-16.el6_5.17.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-30.el6_6.13", "arch": "i686", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.1e-30.el6_6.13.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "x86_64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.0-20.el6_2.9.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "i686", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-42.el6_7.6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "src", "packageName": "openssl", "packageFilename": "openssl-1.0.0-20.el6_2.9.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "i686", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-16.el6_5.17.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "x86_64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-42.el6_7.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-16.el6_5.17", "arch": "x86_64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-16.el6_5.17.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "i686", "packageName": "openssl-perl", "packageFilename": "openssl-perl-1.0.1e-42.el6_7.6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "ppc", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.1e-42.el6_7.6.ppc.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-20.el6_2.9", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-1.0.0-20.el6_2.9.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "x86_64", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.0-27.el6_4.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "ppc64", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-42.el6_7.6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "x86_64", "packageName": "openssl", "packageFilename": "openssl-1.0.1e-42.el6_7.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "x86_64", "packageName": "openssl-debuginfo", "packageFilename": "openssl-debuginfo-1.0.0-27.el6_4.6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.0-27.el6_4.6", "arch": "i686", "packageName": "openssl-devel", "packageFilename": "openssl-devel-1.0.0-27.el6_4.6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.1e-42.el6_7.6", "arch": "i686", "packageName": "openssl-static", "packageFilename": "openssl-static-1.0.1e-42.el6_7.6.i686.rpm", "operator": "lt"}], "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\nRed Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter.", "reporter": "RedHat", "published": "2016-11-17T17:52:35", "type": "redhat", "title": "(RHSA-2016:2802) Important: openssl security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6304"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2016-11-17T17:58:19", "id": "RHSA-2016:2802", "href": "https://access.redhat.com/errata/RHSA-2016:2802", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-06-13T00:00:55", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "src", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "src", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-debuginfo", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-debuginfo", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-debuginfo", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-debuginfo", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-debuginfo", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-devel", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-devel", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-devel", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-devel", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-devel", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-libs", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-libs", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-libs", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-libs", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-libs", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-perl", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-perl", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-perl", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-perl", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-perl", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-static", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-static", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-static", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "ppc64", "packageName": "jbcs-httpd24-openssl-static", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-static", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}], "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release includes bug fixes as well as a new release of OpenSSL. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system. (CVE-2016-2178)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610)\n\n* Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "reporter": "RedHat", "published": "2017-06-28T23:58:57", "type": "redhat", "title": "(RHSA-2017:1658) Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-2177", "CVE-2016-2178", "CVE-2016-6304", "CVE-2016-8610"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T02:39:08", "id": "RHSA-2017:1658", "href": "https://access.redhat.com/errata/RHSA-2017:1658", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-06-06T23:50:25", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "src", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "src", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-debuginfo", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-debuginfo", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-debuginfo", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-devel", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-devel", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-devel", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-libs", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-libs", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-libs", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-perl", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-perl", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-perl", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "i686", "packageName": "jbcs-httpd24-openssl-static", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-static", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "arch": "x86_64", "packageName": "jbcs-httpd24-openssl-static", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "src", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.41-17_patch_04.ep6.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "src", "packageName": "tomcat6", "packageFilename": "tomcat6-6.0.41-17_patch_04.ep6.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-admin-webapps", "packageFilename": "tomcat6-admin-webapps-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-admin-webapps", "packageFilename": "tomcat6-admin-webapps-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-docs-webapp", "packageFilename": "tomcat6-docs-webapp-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-docs-webapp", "packageFilename": "tomcat6-docs-webapp-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-el-2.1-api", "packageFilename": "tomcat6-el-2.1-api-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-el-2.1-api", "packageFilename": "tomcat6-el-2.1-api-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-javadoc", "packageFilename": "tomcat6-javadoc-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-javadoc", "packageFilename": "tomcat6-javadoc-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-jsp-2.1-api", "packageFilename": "tomcat6-jsp-2.1-api-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-jsp-2.1-api", "packageFilename": "tomcat6-jsp-2.1-api-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-lib", "packageFilename": "tomcat6-lib-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-lib", "packageFilename": "tomcat6-lib-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-log4j", "packageFilename": "tomcat6-log4j-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-log4j", "packageFilename": "tomcat6-log4j-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-maven-devel", "packageFilename": "tomcat6-maven-devel-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-maven-devel", "packageFilename": "tomcat6-maven-devel-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-servlet-2.5-api", "packageFilename": "tomcat6-servlet-2.5-api-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-servlet-2.5-api", "packageFilename": "tomcat6-servlet-2.5-api-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "6.0.41-17_patch_04.ep6.el6", "arch": "noarch", "packageName": "tomcat6-webapps", "packageFilename": "tomcat6-webapps-6.0.41-17_patch_04.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "6.0.41-17_patch_04.ep6.el7", "arch": "noarch", "packageName": "tomcat6-webapps", "packageFilename": "tomcat6-webapps-6.0.41-17_patch_04.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "src", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.54-25_patch_05.ep6.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "src", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.54-25_patch_05.ep6.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-admin-webapps", "packageFilename": "tomcat7-admin-webapps-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-admin-webapps", "packageFilename": "tomcat7-admin-webapps-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-docs-webapp", "packageFilename": "tomcat7-docs-webapp-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-docs-webapp", "packageFilename": "tomcat7-docs-webapp-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-el-2.2-api", "packageFilename": "tomcat7-el-2.2-api-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-el-2.2-api", "packageFilename": "tomcat7-el-2.2-api-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-javadoc", "packageFilename": "tomcat7-javadoc-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-javadoc", "packageFilename": "tomcat7-javadoc-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-jsp-2.2-api", "packageFilename": "tomcat7-jsp-2.2-api-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-jsp-2.2-api", "packageFilename": "tomcat7-jsp-2.2-api-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-lib", "packageFilename": "tomcat7-lib-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-lib", "packageFilename": "tomcat7-lib-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-log4j", "packageFilename": "tomcat7-log4j-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-log4j", "packageFilename": "tomcat7-log4j-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-maven-devel", "packageFilename": "tomcat7-maven-devel-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-maven-devel", "packageFilename": "tomcat7-maven-devel-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-servlet-3.0-api", "packageFilename": "tomcat7-servlet-3.0-api-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-servlet-3.0-api", "packageFilename": "tomcat7-servlet-3.0-api-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.54-25_patch_05.ep6.el6", "arch": "noarch", "packageName": "tomcat7-webapps", "packageFilename": "tomcat7-webapps-7.0.54-25_patch_05.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.54-25_patch_05.ep6.el7", "arch": "noarch", "packageName": "tomcat7-webapps", "packageFilename": "tomcat7-webapps-7.0.54-25_patch_05.ep6.el7.noarch.rpm", "operator": "lt"}], "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nThis release provides an update to OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2. The updates are documented in the Release Notes document linked to in the References.\n\nUsers of Red Hat JBoss Web Server 2.1.2 should upgrade to these updated packages, which resolve several security issues.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* A vulnerability was discovered in tomcat's handling of pipelined requests when \"Sendfile\" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "reporter": "RedHat", "published": "2017-08-21T19:21:19", "type": "redhat", "title": "(RHSA-2017:2493) Important: Red Hat JBoss Web Server 2 security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6304", "CVE-2016-8610", "CVE-2017-5647", "CVE-2017-5664"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T02:42:47", "id": "RHSA-2017:2493", "href": "https://access.redhat.com/errata/RHSA-2017:2493", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-08-21T16:13:27", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [], "description": "OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nThis release provides an update to OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2. The updates are documented in the Release Notes document linked to in the References.\n\nUsers of Red Hat JBoss Web Server 2.1.2 should upgrade to these updated packages, which resolve several security issues.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* A vulnerability was discovered in tomcat's handling of pipelined requests when \"Sendfile\" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "reporter": "RedHat", "published": "2017-08-21T19:21:48", "type": "redhat", "title": "(RHSA-2017:2494) Important: Red Hat JBoss Web Server 2 security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6304", "CVE-2016-8610", "CVE-2017-5647", "CVE-2017-5664"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-08-21T19:22:08", "id": "RHSA-2017:2494", "href": "https://access.redhat.com/errata/RHSA-2017:2494", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T22:57:51", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [], "description": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release includes bug fixes as well as a new release of OpenSSL that addresses a number of outstanding security flaws. For further information, see the knowledge base article linked to in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system. (CVE-2016-2178)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections form other clients. (CVE-2016-8610)\n\n* Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "reporter": "RedHat", "published": "2017-06-28T23:59:12", "type": "redhat", "title": "(RHSA-2017:1659) Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-2177", "CVE-2016-2178", "CVE-2016-6304", "CVE-2016-8610"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-07-25T00:07:41", "id": "RHSA-2017:1659", "href": "https://access.redhat.com/errata/RHSA-2017:1659", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-12-25T20:05:03", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [], "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was discovered in tomcat's handling of pipelined requests when \"Sendfile\" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648)", "reporter": "RedHat", "published": "2017-07-25T21:45:08", "type": "redhat", "title": "(RHSA-2017:1802) Important: Red Hat JBoss Web Server Service Pack 1 security update", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6304", "CVE-2016-7056", "CVE-2016-8610", "CVE-2017-5645", "CVE-2017-5647", "CVE-2017-5648", "CVE-2017-5664", "CVE-2017-7674"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-12-19T18:18:19", "id": "RHSA-2017:1802", "href": "https://access.redhat.com/errata/RHSA-2017:1802", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T22:57:59", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [], "description": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "reporter": "RedHat", "published": "2017-06-07T21:34:13", "type": "redhat", "title": "(RHSA-2017:1415) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-0736", "CVE-2016-2161", "CVE-2016-6304", "CVE-2016-7056", "CVE-2016-8610", "CVE-2016-8740", "CVE-2016-8743"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-07-25T00:12:41", "id": "RHSA-2017:1415", "href": "https://access.redhat.com/errata/RHSA-2017:1415", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-06-07T17:59:49", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-devel", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-mod_ssl", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-libs", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-static", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.9.1-19.GA.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-mod_security-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_session-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-mod_session", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el7.noarch.rpm", "packageName": "jbcs-httpd24-httpd-manual", "arch": "noarch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-debuginfo", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-selinux", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-static", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-openssl", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.9.1-19.GA.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-mod_security", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-mod_ldap", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.src.rpm", "packageName": "jbcs-httpd24-openssl", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-devel", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-mod_ssl", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-perl", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-httpd", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.9.1-19.GA.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-mod_security-debuginfo", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-libs", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-selinux", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_session-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-mod_session", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-2.4.23-120.jbcs.el7.src.rpm", "packageName": "jbcs-httpd24-httpd", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-libs", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-mod_proxy_html", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-mod_proxy_html", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.9.1-19.GA.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el7.src.rpm", "packageName": "jbcs-httpd24-mod_security", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-tools", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-libs", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.0.2h-13.jbcs.el7", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-debuginfo", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.9.1-19.GA.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-mod_security", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el7.x86_64.rpm", "packageName": "jbcs-httpd24-mod_ldap", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-httpd", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "2.4.23-120.jbcs.el7", "packageFilename": "jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el7.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-tools", "arch": "ppc64", "operator": "lt"}], "description": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "reporter": "RedHat", "published": "2017-06-07T21:33:35", "type": "redhat", "title": "(RHSA-2017:1413) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 7", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-7056", "CVE-2016-2161", "CVE-2016-8743", "CVE-2016-8610", "CVE-2016-6304", "CVE-2016-8740", "CVE-2016-0736"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-06-07T21:35:54", "id": "RHSA-2017:1413", "href": "https://access.redhat.com/errata/RHSA-2017:1413", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-06-06T23:50:48", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.2.16-12.redhat_3.1.ep6.el6", "arch": "noarch", "packageName": "log4j-eap6", "packageFilename": "log4j-eap6-1.2.16-12.redhat_3.1.ep6.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.2.16-12.redhat_3.1.ep6.el6", "arch": "src", "packageName": "log4j-eap6", "packageFilename": "log4j-eap6-1.2.16-12.redhat_3.1.ep6.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.2.16-12.redhat_3.1.ep6.el7", "arch": "noarch", "packageName": "log4j-eap6", "packageFilename": "log4j-eap6-1.2.16-12.redhat_3.1.ep6.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.2.16-12.redhat_3.1.ep6.el7", "arch": "src", "packageName": "log4j-eap6", "packageFilename": "log4j-eap6-1.2.16-12.redhat_3.1.ep6.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.2.8-10.redhat_10.ep7.el6", "arch": "i686", "packageName": "tomcat-native", "packageFilename": "tomcat-native-1.2.8-10.redhat_10.ep7.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.2.8-10.redhat_10.ep7.el6", "arch": "src", "packageName": "tomcat-native", "packageFilename": "tomcat-native-1.2.8-10.redhat_10.ep7.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.2.8-10.redhat_10.ep7.el6", "arch": "x86_64", "packageName": "tomcat-native", "packageFilename": "tomcat-native-1.2.8-10.redhat_10.ep7.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.2.8-10.redhat_10.ep7.el7", "arch": "src", "packageName": "tomcat-native", "packageFilename": "tomcat-native-1.2.8-10.redhat_10.ep7.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.2.8-10.redhat_10.ep7.el7", "arch": "x86_64", "packageName": "tomcat-native", "packageFilename": "tomcat-native-1.2.8-10.redhat_10.ep7.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.2.8-10.redhat_10.ep7.el6", "arch": "i686", "packageName": "tomcat-native-debuginfo", "packageFilename": "tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.2.8-10.redhat_10.ep7.el6", "arch": "x86_64", "packageName": "tomcat-native-debuginfo", "packageFilename": "tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "1.2.8-10.redhat_10.ep7.el7", "arch": "x86_64", "packageName": "tomcat-native-debuginfo", "packageFilename": "tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "src", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.70-22.ep7.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "src", "packageName": "tomcat7", "packageFilename": "tomcat7-7.0.70-22.ep7.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-admin-webapps", "packageFilename": "tomcat7-admin-webapps-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-admin-webapps", "packageFilename": "tomcat7-admin-webapps-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-docs-webapp", "packageFilename": "tomcat7-docs-webapp-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-docs-webapp", "packageFilename": "tomcat7-docs-webapp-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-el-2.2-api", "packageFilename": "tomcat7-el-2.2-api-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-el-2.2-api", "packageFilename": "tomcat7-el-2.2-api-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-javadoc", "packageFilename": "tomcat7-javadoc-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-javadoc", "packageFilename": "tomcat7-javadoc-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-jsp-2.2-api", "packageFilename": "tomcat7-jsp-2.2-api-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-jsp-2.2-api", "packageFilename": "tomcat7-jsp-2.2-api-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-jsvc", "packageFilename": "tomcat7-jsvc-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-jsvc", "packageFilename": "tomcat7-jsvc-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-lib", "packageFilename": "tomcat7-lib-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-lib", "packageFilename": "tomcat7-lib-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-log4j", "packageFilename": "tomcat7-log4j-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-log4j", "packageFilename": "tomcat7-log4j-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-selinux", "packageFilename": "tomcat7-selinux-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-selinux", "packageFilename": "tomcat7-selinux-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-servlet-3.0-api", "packageFilename": "tomcat7-servlet-3.0-api-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-servlet-3.0-api", "packageFilename": "tomcat7-servlet-3.0-api-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "7.0.70-22.ep7.el6", "arch": "noarch", "packageName": "tomcat7-webapps", "packageFilename": "tomcat7-webapps-7.0.70-22.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "7.0.70-22.ep7.el7", "arch": "noarch", "packageName": "tomcat7-webapps", "packageFilename": "tomcat7-webapps-7.0.70-22.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8", "packageFilename": "tomcat8-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "src", "packageName": "tomcat8", "packageFilename": "tomcat8-8.0.36-24.ep7.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8", "packageFilename": "tomcat8-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "src", "packageName": "tomcat8", "packageFilename": "tomcat8-8.0.36-24.ep7.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-admin-webapps", "packageFilename": "tomcat8-admin-webapps-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-admin-webapps", "packageFilename": "tomcat8-admin-webapps-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-docs-webapp", "packageFilename": "tomcat8-docs-webapp-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-docs-webapp", "packageFilename": "tomcat8-docs-webapp-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-el-2.2-api", "packageFilename": "tomcat8-el-2.2-api-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-el-2.2-api", "packageFilename": "tomcat8-el-2.2-api-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-javadoc", "packageFilename": "tomcat8-javadoc-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-javadoc", "packageFilename": "tomcat8-javadoc-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-jsp-2.3-api", "packageFilename": "tomcat8-jsp-2.3-api-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-jsp-2.3-api", "packageFilename": "tomcat8-jsp-2.3-api-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-jsvc", "packageFilename": "tomcat8-jsvc-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-jsvc", "packageFilename": "tomcat8-jsvc-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-lib", "packageFilename": "tomcat8-lib-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-lib", "packageFilename": "tomcat8-lib-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-log4j", "packageFilename": "tomcat8-log4j-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-log4j", "packageFilename": "tomcat8-log4j-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-selinux", "packageFilename": "tomcat8-selinux-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-selinux", "packageFilename": "tomcat8-selinux-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-servlet-3.1-api", "packageFilename": "tomcat8-servlet-3.1-api-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-servlet-3.1-api", "packageFilename": "tomcat8-servlet-3.1-api-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "8.0.36-24.ep7.el6", "arch": "noarch", "packageName": "tomcat8-webapps", "packageFilename": "tomcat8-webapps-8.0.36-24.ep7.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "8.0.36-24.ep7.el7", "arch": "noarch", "packageName": "tomcat8-webapps", "packageFilename": "tomcat8-webapps-8.0.36-24.ep7.el7.noarch.rpm", "operator": "lt"}], "description": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)\n\n* A vulnerability was discovered in tomcat's handling of pipelined requests when \"Sendfile\" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)\n\n* A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)\n\n* A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648)", "reporter": "RedHat", "published": "2017-07-25T20:31:15", "type": "redhat", "title": "(RHSA-2017:1801) Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6304", "CVE-2016-7056", "CVE-2016-8610", "CVE-2017-5645", "CVE-2017-5647", "CVE-2017-5648", "CVE-2017-5664", "CVE-2017-7674"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-07T02:42:54", "id": "RHSA-2017:1801", "href": "https://access.redhat.com/errata/RHSA-2017:1801", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-06-07T17:55:10", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-mod_proxy_html", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-mod_ssl", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.9.1-19.GA.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-mod_security", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-openssl", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_session-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-mod_session", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.9.1-19.GA.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el6.src.rpm", "packageName": "jbcs-httpd24-mod_security", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-openssl-libs", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-tools", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-openssl-devel", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-httpd", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-mod_proxy_html", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-selinux", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-debuginfo", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-openssl-perl", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_proxy_html-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-mod_proxy_html", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-httpd-devel", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-2.4.23-120.jbcs.el6.src.rpm", "packageName": "jbcs-httpd24-httpd", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.9.1-19.GA.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-mod_security", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-openssl-static", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.9.1-19.GA.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-mod_security-debuginfo", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-libs", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-openssl", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-mod_ldap", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-debuginfo", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-httpd", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-mod_ssl", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.9.1-19.GA.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_security-2.9.1-19.GA.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-mod_security", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-devel", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-libs", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-selinux", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-devel", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-httpd-tools", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.9.1-19.GA.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-mod_security-debuginfo", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-static", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-static", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_ssl-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-mod_ssl", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-httpd-libs", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-libs-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-libs", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-httpd", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.9.1-19.GA.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_security-debuginfo-2.9.1-19.GA.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-mod_security-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-openssl-libs", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-mod_ldap", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-manual-2.4.23-120.jbcs.el6.noarch.rpm", "packageName": "jbcs-httpd24-httpd-manual", "arch": "noarch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-openssl-perl", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_ldap-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-mod_ldap", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-openssl-debuginfo", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-devel-2.4.23-120.jbcs.el6.x86_64.rpm", "packageName": "jbcs-httpd24-httpd-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-tools-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-httpd-tools", "arch": "ppc64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-selinux-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-httpd-selinux", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_session-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-mod_session", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-httpd-debuginfo-2.4.23-120.jbcs.el6.i686.rpm", "packageName": "jbcs-httpd24-httpd-debuginfo", "arch": "i686", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "1.0.2h-13.jbcs.el6", "packageFilename": "jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.src.rpm", "packageName": "jbcs-httpd24-openssl", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "2.4.23-120.jbcs.el6", "packageFilename": "jbcs-httpd24-mod_session-2.4.23-120.jbcs.el6.ppc64.rpm", "packageName": "jbcs-httpd24-mod_session", "arch": "ppc64", "operator": "lt"}], "description": "Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.\n\nThis release of Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.23, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user's browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. (CVE-2016-0736)\n\n* It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. (CVE-2016-2161)\n\n* A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys. (CVE-2016-7056)\n\n* A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)\n\n* It was discovered that the HTTP parser in httpd incorrectly allowed certain characters not permitted by the HTTP protocol specification to appear unencoded in HTTP request headers. If httpd was used in conjunction with a proxy or backend server that interpreted those characters differently, a remote attacker could possibly use this flaw to inject data into HTTP responses, resulting in proxy cache poisoning. (CVE-2016-8743)\n\n* A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash. (CVE-2016-8740)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.", "reporter": "RedHat", "published": "2017-06-07T21:33:56", "type": "redhat", "title": "(RHSA-2017:1414) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Service Pack 1 for RHEL 6", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-7056", "CVE-2016-2161", "CVE-2016-8743", "CVE-2016-8610", "CVE-2016-6304", "CVE-2016-8740", "CVE-2016-0736"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-06-07T21:36:42", "id": "RHSA-2017:1414", "href": "https://access.redhat.com/errata/RHSA-2017:1414", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-12-12T05:58:32", "references": ["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6590", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5610", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0981", "https://bugs.gentoo.org/show_bug.cgi?id=505274", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6595", "https://bugs.gentoo.org/show_bug.cgi?id=537218", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5613", "https://bugs.gentoo.org/show_bug.cgi?id=550964", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6588", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-6589", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0427", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0377", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5608", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0418", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5611", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3456", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0983"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "4.3.28", "packageName": "app-emulation/virtualbox", "arch": "all", "packageFilename": "UNKNOWN", "operator": "lt"}, {"OS": "Gentoo", "OSVersion": "any", "packageVersion": "4.3.28", "packageName": "app-emulation/virtualbox-bin", "arch": "all", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "### Background\n\nVirtualBox is a powerful virtualization product from Oracle.\n\n### Description\n\nMultiple vulnerabilities have been discovered in VirtualBox. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nLocal attackers could cause a Denial of Service condition, execute arbitrary code, or escalate their privileges. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll VirtualBox users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/virtualbox-4.3.28\"\n \n\nAll VirtualBox-bin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose\n \">=app-emulation/virtualbox-bin-4.3.28\"", "reporter": "Gentoo Foundation", "published": "2016-12-11T00:00:00", "title": "VirtualBox: Multiple vulnerabilities", "type": "gentoo", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-5611", "CVE-2016-5608", "CVE-2015-0427", "CVE-2014-6595", "CVE-2014-0983", "CVE-2015-0418", "CVE-2016-5610", "CVE-2015-3456", "CVE-2014-0981", "CVE-2014-6590", "CVE-2016-5613", "CVE-2015-0377", "CVE-2014-6589", "CVE-2014-6588"], "modified": "2016-12-11T00:00:00", "href": "https://security.gentoo.org/glsa/201612-27", "id": "GLSA-201612-27", "cvss": {"score": 7.7, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-07T12:54:23", "references": ["https://bugs.gentoo.org/show_bug.cgi?id=591454", "https://bugs.gentoo.org/show_bug.cgi?id=592082", "https://bugs.gentoo.org/show_bug.cgi?id=585142", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2109", "https://bugs.gentoo.org/show_bug.cgi?id=594500", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2106", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6306", "http://eprint.iacr.org/2016/594.pdf", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7052", "https://bugs.gentoo.org/show_bug.cgi?id=592074", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2180", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2108", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2176", "https://bugs.gentoo.org/show_bug.cgi?id=581234", "https://bugs.gentoo.org/show_bug.cgi?id=585276", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6305", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2183", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2177", "https://bugs.gentoo.org/show_bug.cgi?id=592068", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2178", "https://bugs.gentoo.org/show_bug.cgi?id=595186", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2105", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2107", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-6304"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "1.0.2j", "arch": "all", "packageName": "dev-libs/openssl", "packageFilename": "UNKNOWN", "operator": "lt"}], "edition": 1, "description": "### Background\n\nOpenSSL is an Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) as well as a general purpose cryptography library. \n\n### Description\n\nMultiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers and the International Association for Cryptologic Research\u2019s (IACR) paper, \u201cMake Sure DSA Signing Exponentiations Really are Constant-Time\u201d for further details. \n\n### Impact\n\nRemote attackers could cause a Denial of Service condition or have other unspecified impacts. Additionally, a time based side-channel attack may allow a local attacker to recover a private DSA key. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll OpenSSL users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=dev-libs/openssl-1.0.2j\"", "reporter": "Gentoo Foundation", "published": "2016-12-07T00:00:00", "type": "gentoo", "title": "OpenSSL: Multiple vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-2108", "CVE-2016-2177", "CVE-2016-2105", "CVE-2016-2107", "CVE-2016-2180", "CVE-2016-2109", "CVE-2016-6304", "CVE-2016-7052", "CVE-2016-2176", "CVE-2016-6305", "CVE-2016-2106"], "modified": "2016-12-07T00:00:00", "href": "https://security.gentoo.org/glsa/201612-16", "id": "GLSA-201612-16", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:07", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "i686", "packageFilename": "openssl-devel-1.0.1k-15.95.amzn1.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "i686", "packageFilename": "openssl-static-1.0.1k-15.95.amzn1.i686.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1k-15.95.amzn1.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "src", "packageFilename": "openssl-1.0.1k-15.95.amzn1.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1k-15.95.amzn1.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "i686", "packageFilename": "openssl-perl-1.0.1k-15.95.amzn1.i686.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "i686", "packageFilename": "openssl-1.0.1k-15.95.amzn1.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "i686", "packageFilename": "openssl-debuginfo-1.0.1k-15.95.amzn1.i686.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "x86_64", "packageFilename": "openssl-debuginfo-1.0.1k-15.95.amzn1.x86_64.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1k-15.95.amzn1.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "1.0.1k-15.95.amzn1", "arch": "x86_64", "packageFilename": "openssl-1.0.1k-15.95.amzn1.x86_64.rpm", "packageName": "openssl", "operator": "lt"}], "description": "**Issue Overview:**\n\nA memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support.\n\nThe [OpenSSL Security Advisory [22 Sep 2016]](<https://www.openssl.org/news/secadv/20160922.txt>) refers to additional CVEs. [CVE-2016-6305 __](<https://access.redhat.com/security/cve/CVE-2016-6305>) does not affect OpenSSL 1.0.1. The remaining CVEs listed will be fixed in a later update.\n\nThe [OpenSSL Security Advisory [26 Sep 2016]](<https://www.openssl.org/news/secadv/20160926.txt>) refers to two additional CVEs which do not affect OpenSSL 1.0.1.\n\n(Updated 2016-09-26: Included a reference to the 26 Sep 2016 upstream advisory.)\n\n \n**Affected Packages:** \n\n\nopenssl\n\n \n**Issue Correction:** \nRun _yum update openssl_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n openssl-devel-1.0.1k-15.95.amzn1.i686 \n openssl-debuginfo-1.0.1k-15.95.amzn1.i686 \n openssl-perl-1.0.1k-15.95.amzn1.i686 \n openssl-static-1.0.1k-15.95.amzn1.i686 \n openssl-1.0.1k-15.95.amzn1.i686 \n \n src: \n openssl-1.0.1k-15.95.amzn1.src \n \n x86_64: \n openssl-static-1.0.1k-15.95.amzn1.x86_64 \n openssl-perl-1.0.1k-15.95.amzn1.x86_64 \n openssl-debuginfo-1.0.1k-15.95.amzn1.x86_64 \n openssl-devel-1.0.1k-15.95.amzn1.x86_64 \n openssl-1.0.1k-15.95.amzn1.x86_64 \n \n \n", "edition": 1, "reporter": "Amazon", "published": "2016-09-26T12:00:00", "title": "Important: openssl", "type": "amazon", "enchantments": {"score": {"modified": "2018-10-02T16:55:07", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6304", "CVE-2016-6305"], "modified": "2016-09-26T12:00:00", "id": "ALAS-2016-749", "href": "https://alas.aws.amazon.com/ALAS-2016-749.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T10:06:46", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "references": [], "description": "[](<https://2.bp.blogspot.com/-k4kHqiyGsHg/V-UZe_s8gWI/AAAAAAAApkk/cQFDUlYt1NEs1XcY9LAGlzAZk1qhfGvrgCLcB/s1600/openssl-ddos-attack.png>)\n\nThe OpenSSL Foundation has patched over a dozen vulnerabilities in its cryptographic code library, including a high severity bug that can be exploited for denial-of-service (DoS) attacks. \n \nOpenSSL is a widely used open-source cryptographic library that provides encrypted Internet connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) for the majority of websites, as well as other secure services. \n \nThe vulnerabilities exist in OpenSSL versions 1.0.1, 1.0.2 and 1.1.0 and patched in OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u. \n \nThe Critical-rated bug ([CVE-2016-6304](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304>)) can be exploited by sending a large OCSP Status Request extension on the targeted server during connection negotiations, which causes memory exhaustion to launch DoS attacks, the OpenSSL Project [said](<https://www.openssl.org/news/secadv/20160922.txt>). \n \n\n\n### What is OCSP Protocol?\n\n \n**OCSP**(Online Certificate Status Protocol), supported by all modern web browsers, is a protocol designed to perform verification and obtain the revocation status of a digital certificate attached to a website. \n \nOCSP divided into client and server components. When an application or a web browser attempts to verify an SSL certificate, the client component sends a request to an online responder via HTTP protocol, which in turn, returns the status of the certificate, valid or not. \n \nReported by Shi Lei, a researcher at Chinese security firm Qihoo 360, the vulnerability affects servers in their default configuration even if they do not support OCSP. \n\n\n> \"An attacker could use the TLS extension \"_TLSEXT_TYPE_status_request_\" and fill the OCSP ids with continually renegotiation,\" the researcher explained in a [blog post](<http://security.360.cn/cve/CVE-2016-6304/>). \n \n\"Theoretically, an attacker could continually renegotiation with the server thus causing unbounded memory growth on the server up to 64k each time.\" \n\n### **How to Prevent OpenSSL DoS Attack**\n\n** \n** Administrators can mitigate damage by running '_no-ocsp_.' Furthermore, servers using older versions of OpenSSL prior to 1.0.1g are not vulnerable in their default configuration. \n \nAnother moderate severity vulnerability ([CVE-2016-6305](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6305>)) that can be exploited to launch denial of service attacks is fixed in the patch release, affecting OpenSSL 1.1.0 that was launched less than one month ago. \n \nThe team has also resolved a total of 12 low severity vulnerabilities in the latest versions of OpenSSL, but most of them do not affect the 1.1.0 branch. \n \nIt is worth noting that the OpenSSL Project will end support for OpenSSL version 1.0.1 on 31st December 2016, so users will not receive any security update from the beginning of 2017. Therefore users are advised to upgrade in order to avoid any security issues.\n", "reporter": "Swati Khandelwal", "published": "2016-09-23T01:10:00", "type": "thn", "title": "Critical DoS Flaw found in OpenSSL \u2014 How It Works", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2016-6304", "CVE-2016-6305"], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2016-09-23T12:13:37", "id": "THN:35CF2D56C908025E96F8E8ADF33384DB", "href": "https://thehackernews.com/2016/09/openssl-dos-attack.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:54:41", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["https://www.openssl.org/news/secadv/20160922.txt", "http://security.360.cn/cve/CVE-2016-6304/", "https://threatpost.com/new-collision-attacks-against-3des-blowfish-allow-for-cookie-decryption/120087/"], "description": "A vulnerability in the OpenSSL implementation of the Online Certificate Status Protocol (OCSP) was patched this week, closing a denial-of-service weakness in affected servers.\n\nThe patch was the most severe of 14 released yesterday by OpenSSL.\n\nOCSP is an alternative in many cases to Certificate Revocation Lists where a client can use the protocol to ping a server requesting the status of a digital certificate.\n\nThe vulnerability, CVE-2016-6304, can be exploited by a malicious client by sending a large OCSP Status Request extension.\n\n\u201cIf that client continually requests renegotiation, sending a large OCSP Status Request extension each time, then there will be unbounded memory growth on the server,\u201d OpenSSL said in its [advisory](<https://www.openssl.org/news/secadv/20160922.txt>). \u201cThis will eventually lead to a denial of service attack through memory exhaustion.\u201d\n\nResearchers from Qihoo 360 of China privately disclosed the vulnerability.\n\n\u201cA server with default configuration would allow unbounded memory allocation of the OCSP ids every time a renegotiation occurs even if the server is not configured with OCSP,\u201d Qihoo 360 said in its [report](<http://security.360.cn/cve/CVE-2016-6304/>) on the bug. \u201cThe OCSP id can, according to the spec, consume up to 65,535 bytes of memory. Theoretically, an attacker could continually reneg with the server thus causing unbounded memory growth on the server up to 64k each time.\u201d\n\nThe vulnerability affects default configurations of OpenSSL 1.1.0 and later; versions prior to 1.0.1g are not affected, OpenSSL said. OpenSSL 1.1.0 should be upgraded to 1.1.0a, 1.0.2 to 1.0.2i, and 1.0.1 to 1.0.1u.\n\n\u201cIn 1.0.2 an attacker could grow the memory usage on the server by approx 16k per reneg as the maximum overall ClientHello size is set to 16,384 bytes,\u201d Qihoo 360 said. \u201cIn version 1.1.0, along with the maximum size of a ClientHello increased to 131,396 bytes, the memory growth would be near 64k per reneg.\u201d\n\nLinux and BSD distributors Debian, Ubuntu, RedHat/CentOS and FreeBSD have also updated their respective software.\n\nOf the remaining 13 vulnerabilities, patched, 12 were rated low severity by OpenSSL. The other was rated moderate severity and could lead to a denial-of-service condition where SSL or TLS would hang during a SSL_peek() call if an empty record is sent. The bug affected OpenSSL 1.1.0 and users are urged to upgrade to 1.1.0a.\n\nOpenSSL also mitigated the [SWEET32 vulnerability](<https://threatpost.com/new-collision-attacks-against-3des-blowfish-allow-for-cookie-decryption/120087/>), CVE-2016-2183. Sweet32 was disclosed in August and affected 64-bit ciphers such as Triple-DES (3DES) and Blowfish and could allow an attacker to recover authentication cookie data from 3DES traffic, and usernames and passwords from OpenVPN traffic, which is secured by Blowfish.\n\nAs expected, OpenSSL moved 64-bit ciphers from the high cipherstring group to medium in OpenSSL 1.0.1 and 1.0.2. OpenSSL 1.1.0 disables these ciphersuites by default.\n\nThe attack is a collision attack against these ciphers in CBC mode, or cipher block chaining; 64-bit ciphers are still supported in TLS, IPsec, SSH and other protocols. The researchers said that 3DES support for HTTPS servers that show in Alexa\u2019s top website list hovers between 1 percent and 2 percent of traffic on Firefox, Internet Explorer, Chrome and Android 5.0 integrated browser.\n\nSWEET32 is one of the first relatively practical attacks against 64-bit suites, and can be executed with the resources at the disposal of a nation-state or well stocked criminal enterprise.\n", "reporter": "Michael Mimoso", "published": "2016-09-23T15:47:13", "type": "threatpost", "title": "OpenSSL Patches High-Severity OCSP Bug, Mitigates SWEET32 Attack", "enchantments": {"score": {"modified": "2018-10-06T22:54:41", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "info", "cvelist": ["CVE-2016-2183", "CVE-2016-6304"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2016-09-23T19:47:13", "id": "THREATPOST:92734AB0515417387ACE7EE44D1D5100", "href": "https://threatpost.com/openssl-patches-high-severity-ocsp-bug-mitigates-sweet32-attack/120845/", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T22:54:34", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "references": ["http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", "https://blog.qualys.com/laws-of-vulnerabilities/2016/10/18/oracle-october-2016-critical-patch-update", "http://www.davidlitchfield.com/oracle-oct-2016-cpu.pdf", "https://threatpost.com/oracle-ebusiness-suite-massive-attack-surface-assessed/119638/", "https://threatpost.com/bangladesh-bank-hackers-accessed-swift-system-to-steal-cover-tracks/117637/", "https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/"], "description": "Oracle fixed 253 vulnerabilities across 76 product lines on Tuesday as part of its quarterly [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html>). Many of the fixes addressed by Oracle tackled vulnerabilities tied to securing critical enterprise data.\n\nVulnerabilities in Oracle Fusion Middleware, a family of infrastructure products the company develops, are some of the most pressing. The update addresses 29 vulnerabilities in the software, 19 of which can be exploited remotely without authentication. Five of those vulnerabilities fetch a CVSS score of 9.8, the highest rating any vulnerabilities fixed this time around garnered.\n\nEach of the vulnerabilities could lead to the takeover of components in the affected software, in this case Oracle Big Data Discovery and Oracle WebLogic Server.\n\nIn addition to Fusion Middleware, three other vulnerabilities, in Oracle\u2019s Commerce Platform, and two retail apps \u2013 its Retail Customer Insights, and Retail Merchandising Insights \u2013 also contained critical, remotely exploitable vulnerabilities.\n\nWhile Fusion Middleware may have had the most critical vulnerabilities it didn\u2019t have the most overall. Oracle\u2019s Communications Applications, which had 36 vulnerabilities, 31 of which were remotely exploitable, and Oracle\u2019s MySQL, which had 31 vulnerabilities, two which were remotely exploitable, were the most patched pieces of software on Tuesday.\n\nJava, Oracle\u2019s perennial whipping boy, didn\u2019t emerge this quarter unscathed either. Tuesday\u2019s update fixed seven vulnerabilities in Java SE, all which can be remotely exploited without authentication, three of which carry a CVSS of 9.6.\n\nThe oldest bug, CVE-2010-5312, dates back to 2010 and exists in Application Express, a component in Oracle\u2019s Database Server. That vulnerability, along with the 11 others fixed in Database Server, should also be on an end users\u2019 CPU docket, an expert warned.\n\n\u201cAdministrators should plan on patching for CVE-2016-6304, CVE-2016-5598 and CVE-2010-5312 as they are remotely exploitable and attackers can use them after compromising another system on the network,\u201d Amol Sarwarte, the director of Vulnerability Labs at Qualys, [wrote on the company\u2019s blog Tuesday](<https://blog.qualys.com/laws-of-vulnerabilities/2016/10/18/oracle-october-2016-critical-patch-update>).\n\nElsewhere, analysts with ERPScan, a firm that conducts audits on Oracle systems, are encouraging end users to pay attention to vulnerabilities patched in Oracle\u2019s E-Business Suite, especially one that stems from the way OpenSSL is implemented in Oracle HTTP Server.\n\n\u201cThe vulnerability is assessed as critical and, according to Oracle\u2019s advisory, allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, which can result in complete DoS of the component,\u201d Darya Maenkova, an analyst at the firm told Threatpost Tuesday.\n\n\u201cERPScan researchers conducted a Shodan scan and revealed that approximately 15,000 Oracle HTTP servers are exposed to the Internet,\u201d Maenkova said.\n\nPer usual, noted Oracle bug hunter David Litchfield uncovered a handful of the vulnerabilities fixed this week.\n\nFour of the vulnerabilities he found were of the SQL injection variety and existed in e-Business Suite 12.x and 11.x. The bugs, in utilities owned by both SYS and SYSTEM users, could lead to SQL execution, Litchfield warned in [a .PDF document](<http://www.davidlitchfield.com/oracle-oct-2016-cpu.pdf>) around the bugs published Wednesday.\n\nE-Business Suite, the main business software made by the company, is usually flush with sensitive processes and key data, meaning a compromise could lead to the theft of business critical information.\n\nLitchfield, a security engineer at Google, described earlier this summer how he found a litany of vulnerabilities, 50 in a week \u2013 including cross-site scripting bugs and SQL injections, in the platform at Black Hat.\n\n\u201cIt\u2019s a rich source of vulnerabilities,\u201d Litchfield [said during his talk](<https://threatpost.com/oracle-ebusiness-suite-massive-attack-surface-assessed/119638/>), \u201cThere\u2019s a lot of juicy stuff an attacker would look at and like to break in.\u201d\n\nOracle\u2019s products figure into almost countless business implementations worldwide. When Bangladesh Bank\u2019s SWIFT payment system was [compromised in February](<https://threatpost.com/bangladesh-bank-hackers-accessed-swift-system-to-steal-cover-tracks/117637/>), researchers at Bae Systems said malware was operating in an Oracle-powered environment running SWIFT\u2019s software. Litchfield said at DEFCON in 2011 that an Oracle database hack was to blame for the Sony Playstation Network outage that April.\n\nWith this week\u2019s update, the last of 2016, Oracle has fixed almost 1,000 vulnerabilities, 913 in total, in its products this year. Almost every update contained more than 200 fixes, almost twice the average number of fixes, 110, pushed out by the company from 2011 to 2015.\n\nTuesday\u2019s update is the second largest issued by the company. Oracle set the record when it released its last CPU, fixing 276 vulnerabilities, [in July](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) this past summer.\n", "reporter": "Chris Brook", "published": "2016-10-19T13:39:40", "type": "threatpost", "title": "Oracle Fixes 253 Vulnerabilities in Last CPU of 2016", "enchantments": {"score": {"modified": "2018-10-06T22:54:34", "vector": "NONE", "value": 4.3}}, "bulletinFamily": "info", "cvelist": ["CVE-2010-5312", "CVE-2016-5598", "CVE-2016-6304"], "_object_type": "robots.models.threatpost.ThreatpostBulletin", "modified": "2016-10-19T17:39:40", "id": "THREATPOST:D4706357F1ED015BC0C89123865AF61A", "href": "https://threatpost.com/oracle-fixes-253-vulnerabilities-in-last-cpu-of-2016/121375/", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "hackerone": [{"lastseen": "2018-04-19T17:34:08", "references": [], "h1team": {"profile_picture_urls": {"small": "https://profile-photos.hackerone-user-content.com/000/000/024/75262df009f3ef03cea184defe7c7b10a728f58a_small.png?1384251609", "medium": "https://profile-photos.hackerone-user-content.com/000/000/024/e7fbd40dac4117a139413866b5ecda76d66c8346_medium.png?1384251609"}, "handle": "ibb-openssl", "url": "https://hackerone.com/ibb-openssl"}, "bounty": 2500.0, "bountyState": "resolved", "edition": 5, "description": "A malicious client can send an excessively large OCSP Status Request extension.\nIf that client continually requests renegotiation, sending a large OCSP Status\nRequest extension each time, then there will be unbounded memory growth on the\nserver. This will eventually lead to a Denial Of Service attack through memory\nexhaustion. Servers with a default configuration are vulnerable even if they do\nnot support OCSP. Builds using the \"no-ocsp\" build time option are not affected.", "reporter": "theyarestone", "published": "2017-03-29T01:24:57", "type": "hackerone", "title": "OpenSSL (IBB): OCSP Status Request extension unbounded memory growth (CVE-2016-6304)", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "h1reporter": {"profile_picture_urls": {"small": "/assets/avatars/default-71a302d706457f3d3a31eb30fa3e73e6cf0b1d677b8fa218eaeaffd67ae97918.png"}, "hacker_mediation": false, "disabled": false, "is_me?": false, "url": "/theyarestone", "hackerone_triager": false, "username": "theyarestone"}, "bulletinFamily": "bugbounty", "cvelist": [], "modified": "2017-04-12T00:58:54", "href": "https://hackerone.com/reports/216840", "id": "H1:216840", "cvss": {"score": 0.0, "vector": "NONE"}}], "suse": [{"lastseen": "2016-11-01T17:27:52", "references": ["https://bugzilla.suse.com/985201", "https://bugzilla.suse.com/1001652"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "aarch64", "packageName": "nodejs4-devel", "packageFilename": "nodejs4-devel-4.6.0-8.1.aarch64.rpm", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "noarch", "packageName": "nodejs4-docs", "packageFilename": "nodejs4-docs-4.6.0-8.1.noarch.rpm", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "aarch64", "packageName": "npm4", "packageFilename": "npm4-4.6.0-8.1.aarch64.rpm", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "aarch64", "packageName": "nodejs4", "packageFilename": "nodejs4-4.6.0-8.1.aarch64.rpm", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "aarch64", "packageName": "nodejs4-debuginfo", "packageFilename": "nodejs4-debuginfo-4.6.0-8.1.aarch64.rpm", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "aarch64", "packageName": "nodejs4-debugsource", "packageFilename": "nodejs4-debugsource-4.6.0-8.1.aarch64.rpm", "operator": "lt"}], "edition": 1, "description": "This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs\n and security issues:\n\n * Nodejs embedded openssl version update\n + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178,\n CVE-2016-6306, CVE-2016-7052)\n + remove support for dynamic 3rd party engine modules\n * http: Properly validate for allowable characters in input user data.\n This introduces a new case where throw may occur when configuring HTTP\n responses, users should already be adopting try/catch here.\n (CVE-2016-5325, bsc#985201)\n * tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652)\n * buffer: Zero-fill excess bytes in new Buffer objects created with\n Buffer.concat()\n\n", "reporter": "Suse", "published": "2016-11-01T16:19:35", "type": "suse", "title": "Security update for nodejs4 (important)", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6304", "CVE-2016-7099", "CVE-2016-7052", "CVE-2016-5325"], "modified": "2016-11-01T16:19:35", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-11/msg00001.html", "id": "SUSE-SU-2016:2470-2", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-11T17:26:45", "references": ["https://bugzilla.suse.com/985201", "https://bugzilla.suse.com/1001652"], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "x86_64", "packageFilename": "nodejs-debuginfo-4.6.0-24.2.x86_64.rpm", "packageName": "nodejs-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "x86_64", "packageFilename": "nodejs-devel-4.6.0-24.2.x86_64.rpm", "packageName": "nodejs-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "i586", "packageFilename": "npm-4.6.0-33.1.i586.rpm", "packageName": "npm", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "i586", "packageFilename": "nodejs-devel-4.6.0-33.1.i586.rpm", "packageName": "nodejs-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "noarch", "packageFilename": "nodejs-docs-4.6.0-33.1.noarch.rpm", "packageName": "nodejs-docs", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "x86_64", "packageFilename": "nodejs-debugsource-4.6.0-24.2.x86_64.rpm", "packageName": "nodejs-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "i586", "packageFilename": "nodejs-debugsource-4.6.0-33.1.i586.rpm", "packageName": "nodejs-debugsource", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "noarch", "packageFilename": "nodejs-doc-4.6.0-24.2.noarch.rpm", "packageName": "nodejs-doc", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "x86_64", "packageFilename": "nodejs-debugsource-4.6.0-33.1.x86_64.rpm", "packageName": "nodejs-debugsource", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "i586", "packageFilename": "nodejs-debugsource-4.6.0-24.2.i586.rpm", "packageName": "nodejs-debugsource", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "i586", "packageFilename": "nodejs-debuginfo-4.6.0-24.2.i586.rpm", "packageName": "nodejs-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "x86_64", "packageFilename": "npm-4.6.0-33.1.x86_64.rpm", "packageName": "npm", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "i586", "packageFilename": "nodejs-devel-4.6.0-24.2.i586.rpm", "packageName": "nodejs-devel", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "i586", "packageFilename": "nodejs-4.6.0-24.2.i586.rpm", "packageName": "nodejs", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "i586", "packageFilename": "nodejs-4.6.0-33.1.i586.rpm", "packageName": "nodejs", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "x86_64", "packageFilename": "nodejs-4.6.0-33.1.x86_64.rpm", "packageName": "nodejs", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "x86_64", "packageFilename": "nodejs-devel-4.6.0-33.1.x86_64.rpm", "packageName": "nodejs-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "x86_64", "packageFilename": "nodejs-debuginfo-4.6.0-33.1.x86_64.rpm", "packageName": "nodejs-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.6.0-33.1", "arch": "i586", "packageFilename": "nodejs-debuginfo-4.6.0-33.1.i586.rpm", "packageName": "nodejs-debuginfo", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "13.2", "packageVersion": "4.6.0-24.2", "arch": "x86_64", "packageFilename": "nodejs-4.6.0-24.2.x86_64.rpm", "packageName": "nodejs", "operator": "lt"}], "edition": 1, "description": "This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs\n and security issues:\n\n * Nodejs embedded openssl version update\n + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178,\n CVE-2016-6306, CVE-2016-7052)\n + remove support for dynamic 3rd party engine modules\n * http: Properly validate for allowable characters in input user data.\n This introduces a new case where throw may occur when configuring HTTP\n responses, users should already be adopting try/catch here.\n (CVE-2016-5325, bsc#985201)\n * tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652)\n * buffer: Zero-fill excess bytes in new Buffer objects created with\n Buffer.concat()\n\n", "reporter": "Suse", "published": "2016-10-11T19:20:03", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "title": "Security update for nodejs (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1669", "CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6304", "CVE-2016-7099", "CVE-2016-7052", "CVE-2016-5325"], "modified": "2016-10-11T19:20:03", "id": "OPENSUSE-SU-2016:2496-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-06T21:27:36", "references": ["https://bugzilla.suse.com/985201", "https://bugzilla.suse.com/1001652"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "x86_64", "packageFilename": "nodejs4-debugsource-4.6.0-8.1.x86_64.rpm", "packageName": "nodejs4-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "x86_64", "packageFilename": "nodejs4-debuginfo-4.6.0-8.1.x86_64.rpm", "packageName": "nodejs4-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "ppc64le", "packageFilename": "nodejs4-devel-4.6.0-8.1.ppc64le.rpm", "packageName": "nodejs4-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "x86_64", "packageFilename": "npm4-4.6.0-8.1.x86_64.rpm", "packageName": "npm4", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "x86_64", "packageFilename": "nodejs4-devel-4.6.0-8.1.x86_64.rpm", "packageName": "nodejs4-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "noarch", "packageFilename": "nodejs4-docs-4.6.0-8.1.noarch.rpm", "packageName": "nodejs4-docs", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "ppc64le", "packageFilename": "nodejs4-debugsource-4.6.0-8.1.ppc64le.rpm", "packageName": "nodejs4-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "ppc64le", "packageFilename": "npm4-4.6.0-8.1.ppc64le.rpm", "packageName": "npm4", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "ppc64le", "packageFilename": "nodejs4-debuginfo-4.6.0-8.1.ppc64le.rpm", "packageName": "nodejs4-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "x86_64", "packageFilename": "nodejs4-4.6.0-8.1.x86_64.rpm", "packageName": "nodejs4", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Web Scripting", "OSVersion": "12", "packageVersion": "4.6.0-8.1", "arch": "ppc64le", "packageFilename": "nodejs4-4.6.0-8.1.ppc64le.rpm", "packageName": "nodejs4", "operator": "lt"}], "edition": 1, "description": "This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs\n and security issues:\n\n * Nodejs embedded openssl version update\n + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178,\n CVE-2016-6306, CVE-2016-7052)\n + remove support for dynamic 3rd party engine modules\n * http: Properly validate for allowable characters in input user data.\n This introduces a new case where throw may occur when configuring HTTP\n responses, users should already be adopting try/catch here.\n (CVE-2016-5325, bsc#985201)\n * tls: properly validate wildcard certificates (CVE-2016-7099, bsc#1001652)\n * buffer: Zero-fill excess bytes in new Buffer objects created with\n Buffer.concat()\n\n", "reporter": "Suse", "published": "2016-10-06T20:14:21", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "suse", "title": "Security update for nodejs4 (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6304", "CVE-2016-7099", "CVE-2016-7052", "CVE-2016-5325"], "modified": "2016-10-06T20:14:21", "id": "SUSE-SU-2016:2470-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-05T17:27:35", "references": ["https://bugzilla.suse.com/999666", "https://bugzilla.suse.com/994749", "https://bugzilla.suse.com/999665", "https://bugzilla.suse.com/982575", "https://bugzilla.suse.com/979475", "https://bugzilla.suse.com/995324", "https://bugzilla.suse.com/995359", "https://bugzilla.suse.com/994844", "https://bugzilla.suse.com/999668", "https://bugzilla.suse.com/983249", "https://bugzilla.suse.com/995075", "https://bugzilla.suse.com/998190", "https://bugzilla.suse.com/993819", "https://bugzilla.suse.com/995377"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "libopenssl-devel-32bit-0.9.8j-0.102.2.ppc64.rpm", "packageName": "libopenssl-devel-32bit", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.ppc64.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-doc-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-doc-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-doc-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ia64", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.ia64.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-doc-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ia64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.ia64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.ppc64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ia64", "packageFilename": "openssl-doc-0.9.8j-0.102.2.ia64.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.ppc64.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-doc-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ia64", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.ia64.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-doc-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Point of Sale", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Point of Sale", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ia64", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.ia64.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-doc-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Studio Onsite", "OSVersion": "1.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.ppc64.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "openssl-doc-0.9.8j-0.102.2.ppc64.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ia64", "packageFilename": "libopenssl0_9_8-x86-0.9.8j-0.102.2.ia64.rpm", "packageName": "libopenssl0_9_8-x86", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-doc-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.ppc64.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Point of Sale", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-debugsource-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Point of Sale", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl-devel-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl-devel-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.ppc64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ia64", "packageFilename": "openssl-0.9.8j-0.102.2.ia64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Point of Sale", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-doc-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-doc-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "openssl-0.9.8j-0.102.2.ppc64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.i586.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-doc-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.x86_64.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl-devel-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl-devel-32bit", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ia64", "packageFilename": "libopenssl0_9_8-0.9.8j-0.102.2.ia64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "ppc64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.ppc64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-doc-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "i586", "packageFilename": "openssl-doc-0.9.8j-0.102.2.i586.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-debuginfo-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl0_9_8-hmac-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl0_9_8-hmac", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "openssl-doc-0.9.8j-0.102.2.s390x.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "0.9.8j-0.102.2", "arch": "s390x", "packageFilename": "libopenssl-devel-0.9.8j-0.102.2.s390x.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "0.9.8j-0.102.2", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-hmac-32bit-0.9.8j-0.102.2.x86_64.rpm", "packageName": "libopenssl0_9_8-hmac-32bit", "operator": "lt"}], "edition": 1, "description": "This update for openssl fixes the following issues:\n\n OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)\n\n Severity: High\n * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)\n (bsc#999666)\n\n Severity: Low\n * Pointer arithmetic undefined behavior (CVE-2016-2177) (bsc#982575)\n * Constant time flag not preserved in DSA signing (CVE-2016-2178)\n (bsc#983249)\n * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)\n * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)\n * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)\n * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183)\n (bsc#995359)\n * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)\n * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)\n * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"https://www.openssl.org/news/secadv/20160922.txt\">https://www.openssl.org/news/secadv/20160922.txt</a>\n\n Bugs fixed:\n * Update expired S/MIME certs (bsc#979475)\n * Fix crash in print_notice (bsc#998190)\n * Resume reading from /dev/urandom when interrupted by a signal\n (bsc#995075)\n\n", "reporter": "Suse", "published": "2016-10-05T18:09:41", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for openssl (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-10-05T18:09:41", "id": "SUSE-SU-2016:2458-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-28T13:27:47", "references": ["https://bugzilla.suse.com/999666", "https://bugzilla.suse.com/994749", "https://bugzilla.suse.com/990419", "https://bugzilla.suse.com/999665", "https://bugzilla.suse.com/982575", "https://bugzilla.suse.com/982745", "https://bugzilla.suse.com/988591", "https://bugzilla.suse.com/979475", "https://bugzilla.suse.com/995324", "https://bugzilla.suse.com/995359", "https://bugzilla.suse.com/994844", "https://bugzilla.suse.com/999668", "https://bugzilla.suse.com/983249", "https://bugzilla.suse.com/995075", "https://bugzilla.suse.com/998190", "https://bugzilla.suse.com/993819", "https://bugzilla.suse.com/995377"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "i586", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-18.1.i586.rpm", "packageName": "libopenssl1_0_0-hmac", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "openssl-debugsource-1.0.1i-18.1.x86_64.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "i586", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-18.1.i586.rpm", "packageName": "libopenssl1_0_0-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "i586", "packageFilename": "openssl-debuginfo-1.0.1i-18.1.i586.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "openssl-1.0.1i-18.1.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "libopenssl1_0_0-hmac-32bit-1.0.1i-18.1.x86_64.rpm", "packageName": "libopenssl1_0_0-hmac-32bit", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "libopenssl1_0_0-1.0.1i-18.1.x86_64.rpm", "packageName": "libopenssl1_0_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "openssl-debuginfo-1.0.1i-18.1.x86_64.rpm", "packageName": "openssl-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "i586", "packageFilename": "openssl-1.0.1i-18.1.i586.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "noarch", "packageFilename": "openssl-doc-1.0.1i-18.1.noarch.rpm", "packageName": "openssl-doc", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "i586", "packageFilename": "libopenssl1_0_0-1.0.1i-18.1.i586.rpm", "packageName": "libopenssl1_0_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "i586", "packageFilename": "openssl-debugsource-1.0.1i-18.1.i586.rpm", "packageName": "openssl-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "i586", "packageFilename": "libopenssl-devel-1.0.1i-18.1.i586.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-18.1.x86_64.rpm", "packageName": "libopenssl1_0_0-hmac", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "libopenssl-devel-32bit-1.0.1i-18.1.x86_64.rpm", "packageName": "libopenssl-devel-32bit", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "libopenssl-devel-1.0.1i-18.1.x86_64.rpm", "packageName": "libopenssl-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1i-18.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo-32bit", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-18.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "1.0.1i-18.1", "arch": "x86_64", "packageFilename": "libopenssl1_0_0-32bit-1.0.1i-18.1.x86_64.rpm", "packageName": "libopenssl1_0_0-32bit", "operator": "lt"}], "edition": 1, "description": "This update for openssl fixes the following issues:\n\n OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)\n\n Severity: High\n * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)\n (bsc#999666)\n\n Severity: Low\n * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)\n * Constant time flag not preserved in DSA signing (CVE-2016-2178)\n (bsc#983249)\n * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)\n * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)\n * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)\n * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)\n * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183)\n (bsc#995359)\n * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)\n * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)\n * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"https://www.openssl.org/news/secadv/20160922.txt\">https://www.openssl.org/news/secadv/20160922.txt</a>\n\n Also following bugs were fixed:\n * update expired S/MIME certs (bsc#979475)\n * improve s390x performance (bsc#982745)\n * allow &gt;= 64GB AESGCM transfers (bsc#988591)\n * fix crash in print_notice (bsc#998190)\n * resume reading from /dev/urandom when interrupted by a signal\n (bsc#995075)\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "reporter": "Suse", "published": "2016-09-28T12:10:35", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for openssl (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-28T12:10:35", "id": "OPENSUSE-SU-2016:2407-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-27T20:38:58", "references": ["https://bugzilla.suse.com/999666", "https://bugzilla.suse.com/994749", "https://bugzilla.suse.com/990419", "https://bugzilla.suse.com/999665", "https://bugzilla.suse.com/982575", "https://bugzilla.suse.com/982745", "https://bugzilla.suse.com/988591", "https://bugzilla.suse.com/979475", "https://bugzilla.suse.com/995324", "https://bugzilla.suse.com/995359", "https://bugzilla.suse.com/994844", "https://bugzilla.suse.com/999668", "https://bugzilla.suse.com/983249", "https://bugzilla.suse.com/995075", "https://bugzilla.suse.com/998190", "https://bugzilla.suse.com/993819", "https://bugzilla.suse.com/995377"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-52.1.s390x.rpm", "packageName": "libopenssl1_0_0-debuginfo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debugsource-1.0.1i-52.1.s390x.rpm", "packageName": "openssl-debugsource", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-1.0.1i-52.1.s390x.rpm", "packageName": "libopenssl1_0_0", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-52.1.ppc64le.rpm", "packageName": "libopenssl1_0_0-debuginfo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debugsource-1.0.1i-52.1.x86_64.rpm", "packageName": "openssl-debugsource", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-1.0.1i-52.1.ppc64le.rpm", "packageName": "openssl", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-32bit-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-1.0.1i-52.1.s390x.rpm", "packageName": "openssl", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-hmac-32bit-1.0.1i-52.1.s390x.rpm", "packageName": "libopenssl1_0_0-hmac-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl-devel-1.0.1i-52.1.s390x.rpm", "packageName": "libopenssl-devel", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debuginfo-1.0.1i-52.1.ppc64le.rpm", "packageName": "openssl-debuginfo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debugsource-1.0.1i-52.1.ppc64le.rpm", "packageName": "openssl-debugsource", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debuginfo-1.0.1i-52.1.s390x.rpm", "packageName": "openssl-debuginfo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debugsource-1.0.1i-52.1.x86_64.rpm", "packageName": "openssl-debugsource", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-1.0.1i-52.1.x86_64.rpm", "packageName": "openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-32bit-1.0.1i-52.1.s390x.rpm", "packageName": "libopenssl1_0_0-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-1.0.1i-52.1.x86_64.rpm", "packageName": "openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-32bit-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debuginfo-1.0.1i-52.1.x86_64.rpm", "packageName": "openssl-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debugsource-1.0.1i-52.1.x86_64.rpm", "packageName": "openssl-debugsource", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debuginfo-1.0.1i-52.1.x86_64.rpm", "packageName": "openssl-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-doc-1.0.1i-52.1.noarch.rpm", "packageName": "openssl-doc", "arch": "noarch", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-1.0.1i-52.1.ppc64le.rpm", "packageName": "libopenssl1_0_0", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl-devel-1.0.1i-52.1.ppc64le.rpm", "packageName": "libopenssl-devel", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl-devel-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debuginfo-1.0.1i-52.1.s390x.rpm", "packageName": "openssl-debuginfo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-hmac", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-hmac-32bit-1.0.1i-52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-hmac-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-52.1.ppc64le.rpm", "packageName": "libopenssl1_0_0-hmac", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1i-52.1.s390x.rpm", "packageName": "libopenssl1_0_0-debuginfo-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debugsource-1.0.1i-52.1.ppc64le.rpm", "packageName": "openssl-debugsource", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debugsource-1.0.1i-52.1.s390x.rpm", "packageName": "openssl-debugsource", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-52.1.s390x.rpm", "packageName": "libopenssl1_0_0-hmac", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debuginfo-1.0.1i-52.1.x86_64.rpm", "packageName": "openssl-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "1.0.1i-52.1", "packageFilename": "openssl-debuginfo-1.0.1i-52.1.ppc64le.rpm", "packageName": "openssl-debuginfo", "arch": "ppc64le", "operator": "lt"}], "description": "This update for openssl fixes the following issues:\n\n OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)\n\n Severity: High\n * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)\n (bsc#999666)\n\n Severity: Low\n * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)\n * Constant time flag not preserved in DSA signing (CVE-2016-2178)\n (bsc#983249)\n * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)\n * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)\n * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)\n * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)\n * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183)\n (bsc#995359)\n * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)\n * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)\n * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"https://www.openssl.org/news/secadv/20160922.txt\">https://www.openssl.org/news/secadv/20160922.txt</a>\n\n Also following bugs were fixed:\n * update expired S/MIME certs (bsc#979475)\n * improve s390x performance (bsc#982745)\n * allow &gt;= 64GB AESGCM transfers (bsc#988591)\n * fix crash in print_notice (bsc#998190)\n * resume reading from /dev/urandom when interrupted by a signal\n (bsc#995075)\n\n", "edition": 1, "reporter": "Suse", "published": "2016-09-27T19:11:34", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for openssl (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-27T19:11:34", "id": "SUSE-SU-2016:2394-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-14T13:27:46", "references": ["https://bugzilla.suse.com/999666", "https://bugzilla.suse.com/994749", "https://bugzilla.suse.com/999665", "https://bugzilla.suse.com/982575", "https://bugzilla.suse.com/979475", "https://bugzilla.suse.com/995324", "https://bugzilla.suse.com/995359", "https://bugzilla.suse.com/994844", "https://bugzilla.suse.com/999668", "https://bugzilla.suse.com/983249", "https://bugzilla.suse.com/995075", "https://bugzilla.suse.com/998190", "https://bugzilla.suse.com/993819", "https://bugzilla.suse.com/995377"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8j-15.1", "arch": "x86_64", "packageName": "libopenssl0_9_8-debuginfo", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8j-15.1.x86_64.rpm", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8j-15.1", "arch": "i586", "packageName": "libopenssl0_9_8-debuginfo", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8j-15.1.i586.rpm", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8j-15.1", "arch": "i586", "packageName": "compat-openssl098-debugsource", "packageFilename": "compat-openssl098-debugsource-0.9.8j-15.1.i586.rpm", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8j-15.1", "arch": "x86_64", "packageName": "compat-openssl098-debugsource", "packageFilename": "compat-openssl098-debugsource-0.9.8j-15.1.x86_64.rpm", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8j-15.1", "arch": "x86_64", "packageName": "libopenssl0_9_8-32bit", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-15.1.x86_64.rpm", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8j-15.1", "arch": "x86_64", "packageName": "libopenssl0_9_8-debuginfo-32bit", "packageFilename": "libopenssl0_9_8-debuginfo-32bit-0.9.8j-15.1.x86_64.rpm", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8j-15.1", "arch": "x86_64", "packageName": "libopenssl0_9_8", "packageFilename": "libopenssl0_9_8-0.9.8j-15.1.x86_64.rpm", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "0.9.8j-15.1", "arch": "i586", "packageName": "libopenssl0_9_8", "packageFilename": "libopenssl0_9_8-0.9.8j-15.1.i586.rpm", "operator": "lt"}], "edition": 1, "description": "This update for compat-openssl098 fixes the following issues:\n\n OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)\n\n Severity: High\n * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)\n (bsc#999666)\n\n Severity: Low\n * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)\n * Constant time flag not preserved in DSA signing (CVE-2016-2178)\n (bsc#983249)\n * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)\n * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)\n * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)\n * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183)\n (bsc#995359)\n * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)\n * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)\n * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"https://www.openssl.org/news/secadv/20160922.txt\">https://www.openssl.org/news/secadv/20160922.txt</a>\n\n Bugs fixed:\n * update expired S/MIME certs (bsc#979475)\n * fix crash in print_notice (bsc#998190)\n * resume reading from /dev/urandom when interrupted by a signal\n (bsc#995075)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "reporter": "Suse", "published": "2016-10-14T15:09:07", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for compat-openssl098 (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-10-14T15:09:07", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.html", "id": "OPENSUSE-SU-2016:2537-1", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-06T21:27:36", "references": ["https://bugzilla.suse.com/999666", "https://bugzilla.suse.com/994749", "https://bugzilla.suse.com/999665", "https://bugzilla.suse.com/982575", "https://bugzilla.suse.com/979475", "https://bugzilla.suse.com/995324", "https://bugzilla.suse.com/995359", "https://bugzilla.suse.com/994844", "https://bugzilla.suse.com/999668", "https://bugzilla.suse.com/983249", "https://bugzilla.suse.com/995075", "https://bugzilla.suse.com/998190", "https://bugzilla.suse.com/993819", "https://bugzilla.suse.com/995377"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12.1", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "s390x", "packageFilename": "libopenssl0_9_8-0.9.8j-102.1.s390x.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12.1", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "compat-openssl098-debugsource-0.9.8j-102.1.x86_64.rpm", "packageName": "compat-openssl098-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "s390x", "packageFilename": "compat-openssl098-debugsource-0.9.8j-102.1.s390x.rpm", "packageName": "compat-openssl098-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12.1", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "s390x", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-102.1.s390x.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-32bit-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "s390x", "packageFilename": "libopenssl0_9_8-debuginfo-32bit-0.9.8j-102.1.s390x.rpm", "packageName": "libopenssl0_9_8-debuginfo-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-debuginfo-32bit-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8-debuginfo-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "compat-openssl098-debugsource-0.9.8j-102.1.x86_64.rpm", "packageName": "compat-openssl098-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-debuginfo-32bit-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8-debuginfo-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Module for Legacy Software", "OSVersion": "12", "packageVersion": "0.9.8j-102.1", "arch": "s390x", "packageFilename": "libopenssl0_9_8-debuginfo-0.9.8j-102.1.s390x.rpm", "packageName": "libopenssl0_9_8-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "libopenssl0_9_8-0.9.8j-102.1.x86_64.rpm", "packageName": "libopenssl0_9_8", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "0.9.8j-102.1", "arch": "x86_64", "packageFilename": "compat-openssl098-debugsource-0.9.8j-102.1.x86_64.rpm", "packageName": "compat-openssl098-debugsource", "operator": "lt"}], "edition": 1, "description": "This update for compat-openssl098 fixes the following issues:\n\n OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)\n\n Severity: High\n * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)\n (bsc#999666)\n\n Severity: Low\n * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)\n * Constant time flag not preserved in DSA signing (CVE-2016-2178)\n (bsc#983249)\n * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)\n * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)\n * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)\n * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183)\n (bsc#995359)\n * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)\n * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)\n * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"https://www.openssl.org/news/secadv/20160922.txt\">https://www.openssl.org/news/secadv/20160922.txt</a>\n\n Bugs fixed:\n * update expired S/MIME certs (bsc#979475)\n * fix crash in print_notice (bsc#998190)\n * resume reading from /dev/urandom when interrupted by a signal\n (bsc#995075)\n\n", "reporter": "Suse", "published": "2016-10-06T20:09:29", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for compat-openssl098 (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-10-06T20:09:29", "id": "SUSE-SU-2016:2468-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-10-06T21:27:36", "references": ["https://bugzilla.suse.com/999666", "https://bugzilla.suse.com/994749", "https://bugzilla.suse.com/990419", "https://bugzilla.suse.com/999665", "https://bugzilla.suse.com/982575", "https://bugzilla.suse.com/982745", "https://bugzilla.suse.com/979475", "https://bugzilla.suse.com/995324", "https://bugzilla.suse.com/995359", "https://bugzilla.suse.com/994844", "https://bugzilla.suse.com/999668", "https://bugzilla.suse.com/983249", "https://bugzilla.suse.com/995075", "https://bugzilla.suse.com/998190", "https://bugzilla.suse.com/993819", "https://bugzilla.suse.com/995377"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "x86_64", "packageFilename": "libopenssl1_0_0-1.0.1g-0.52.1.x86_64.rpm", "packageName": "libopenssl1_0_0", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ppc64", "packageFilename": "libopenssl1_0_0-1.0.1g-0.52.1.ppc64.rpm", "packageName": "libopenssl1_0_0", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "s390x", "packageFilename": "openssl1-doc-1.0.1g-0.52.1.s390x.rpm", "packageName": "openssl1-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "i586", "packageFilename": "openssl1-1.0.1g-0.52.1.i586.rpm", "packageName": "openssl1", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ia64", "packageFilename": "libopenssl1_0_0-1.0.1g-0.52.1.ia64.rpm", "packageName": "libopenssl1_0_0", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "s390x", "packageFilename": "openssl1-1.0.1g-0.52.1.s390x.rpm", "packageName": "openssl1", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ppc64", "packageFilename": "libopenssl1_0_0-32bit-1.0.1g-0.52.1.ppc64.rpm", "packageName": "libopenssl1_0_0-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "x86_64", "packageFilename": "libopenssl1_0_0-32bit-1.0.1g-0.52.1.x86_64.rpm", "packageName": "libopenssl1_0_0-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ppc64", "packageFilename": "openssl1-doc-1.0.1g-0.52.1.ppc64.rpm", "packageName": "openssl1-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ppc64", "packageFilename": "openssl1-1.0.1g-0.52.1.ppc64.rpm", "packageName": "openssl1", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ppc64", "packageFilename": "libopenssl1-devel-1.0.1g-0.52.1.ppc64.rpm", "packageName": "libopenssl1-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ia64", "packageFilename": "openssl1-1.0.1g-0.52.1.ia64.rpm", "packageName": "openssl1", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ia64", "packageFilename": "libopenssl1-devel-1.0.1g-0.52.1.ia64.rpm", "packageName": "libopenssl1-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ia64", "packageFilename": "libopenssl1_0_0-x86-1.0.1g-0.52.1.ia64.rpm", "packageName": "libopenssl1_0_0-x86", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "i586", "packageFilename": "openssl1-doc-1.0.1g-0.52.1.i586.rpm", "packageName": "openssl1-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "x86_64", "packageFilename": "libopenssl1-devel-1.0.1g-0.52.1.x86_64.rpm", "packageName": "libopenssl1-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "i586", "packageFilename": "libopenssl1-devel-1.0.1g-0.52.1.i586.rpm", "packageName": "libopenssl1-devel", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "i586", "packageFilename": "libopenssl1_0_0-1.0.1g-0.52.1.i586.rpm", "packageName": "libopenssl1_0_0", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "x86_64", "packageFilename": "openssl1-1.0.1g-0.52.1.x86_64.rpm", "packageName": "openssl1", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "x86_64", "packageFilename": "openssl1-doc-1.0.1g-0.52.1.x86_64.rpm", "packageName": "openssl1-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "ia64", "packageFilename": "openssl1-doc-1.0.1g-0.52.1.ia64.rpm", "packageName": "openssl1-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "s390x", "packageFilename": "libopenssl1_0_0-32bit-1.0.1g-0.52.1.s390x.rpm", "packageName": "libopenssl1_0_0-32bit", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "s390x", "packageFilename": "libopenssl1_0_0-1.0.1g-0.52.1.s390x.rpm", "packageName": "libopenssl1_0_0", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server SECURITY", "OSVersion": "11", "packageVersion": "1.0.1g-0.52.1", "arch": "s390x", "packageFilename": "libopenssl1-devel-1.0.1g-0.52.1.s390x.rpm", "packageName": "libopenssl1-devel", "operator": "lt"}], "edition": 1, "description": "This update for openssl1 fixes the following issues:\n\n penSSL Security Advisory [22 Sep 2016] (bsc#999665)\n\n Severity: High\n * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)\n (bsc#999666)\n\n Severity: Low\n * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)\n * Constant time flag not preserved in DSA signing (CVE-2016-2178)\n (bsc#983249)\n * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)\n * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)\n * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)\n * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)\n * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183)\n (bsc#995359)\n * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)\n * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)\n * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"https://www.openssl.org/news/secadv/20160922.txt\">https://www.openssl.org/news/secadv/20160922.txt</a>\n\n Also following bugs were fixed:\n * update expired S/MIME certs (bsc#979475)\n * improve s390x performance (bsc#982745)\n * fix crash in print_notice (bsc#998190)\n * resume reading from /dev/urandom when interrupted by a signal\n (bsc#995075)\n\n", "reporter": "Suse", "published": "2016-10-06T20:11:44", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for openssl1 (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-10-06T20:11:44", "id": "SUSE-SU-2016:2469-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-26T20:38:56", "references": ["https://bugzilla.suse.com/999666", "https://bugzilla.suse.com/994749", "https://bugzilla.suse.com/990419", "https://bugzilla.suse.com/999665", "https://bugzilla.suse.com/982575", "https://bugzilla.suse.com/982745", "https://bugzilla.suse.com/988591", "https://bugzilla.suse.com/979475", "https://bugzilla.suse.com/995324", "https://bugzilla.suse.com/995359", "https://bugzilla.suse.com/994844", "https://bugzilla.suse.com/999668", "https://bugzilla.suse.com/983249", "https://bugzilla.suse.com/995075", "https://bugzilla.suse.com/998190", "https://bugzilla.suse.com/993819", "https://bugzilla.suse.com/995377"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-doc-1.0.1i-27.21.1.noarch.rpm", "packageName": "openssl-doc", "arch": "noarch", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-1.0.1i-27.21.1.ppc64le.rpm", "packageName": "openssl", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-debuginfo-1.0.1i-27.21.1.x86_64.rpm", "packageName": "openssl-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-hmac-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-27.21.1.ppc64le.rpm", "packageName": "libopenssl1_0_0-hmac", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-1.0.1i-27.21.1.s390x.rpm", "packageName": "libopenssl1_0_0", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-hmac", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-1.0.1i-27.21.1.ppc64le.rpm", "packageName": "libopenssl1_0_0", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-debuginfo-1.0.1i-27.21.1.s390x.rpm", "packageName": "openssl-debuginfo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1i-27.21.1.s390x.rpm", "packageName": "libopenssl1_0_0-debuginfo-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-27.21.1.s390x.rpm", "packageName": "libopenssl1_0_0-hmac", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-27.21.1.ppc64le.rpm", "packageName": "libopenssl1_0_0-debuginfo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-27.21.1.s390x.rpm", "packageName": "libopenssl1_0_0-debuginfo", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-debuginfo-1.0.1i-27.21.1.x86_64.rpm", "packageName": "openssl-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-debugsource-1.0.1i-27.21.1.x86_64.rpm", "packageName": "openssl-debugsource", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-32bit-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-1.0.1i-27.21.1.s390x.rpm", "packageName": "openssl", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-1.0.1i-27.21.1.x86_64.rpm", "packageName": "openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-doc-1.0.1i-27.21.1.noarch.rpm", "packageName": "openssl-doc", "arch": "noarch", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-hmac-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-hmac", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-1.0.1i-27.21.1.x86_64.rpm", "packageName": "openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-hmac-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-debugsource-1.0.1i-27.21.1.x86_64.rpm", "packageName": "openssl-debugsource", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-debuginfo-1.0.1i-27.21.1.ppc64le.rpm", "packageName": "openssl-debuginfo", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server for SAP", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-32bit-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-debugsource-1.0.1i-27.21.1.s390x.rpm", "packageName": "openssl-debugsource", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-debuginfo-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "openssl-debugsource-1.0.1i-27.21.1.ppc64le.rpm", "packageName": "openssl-debugsource", "arch": "ppc64le", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-32bit-1.0.1i-27.21.1.s390x.rpm", "packageName": "libopenssl1_0_0-32bit", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-debuginfo-32bit-1.0.1i-27.21.1.x86_64.rpm", "packageName": "libopenssl1_0_0-debuginfo-32bit", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "12", "packageVersion": "1.0.1i-27.21.1", "packageFilename": "libopenssl1_0_0-hmac-32bit-1.0.1i-27.21.1.s390x.rpm", "packageName": "libopenssl1_0_0-hmac-32bit", "arch": "s390x", "operator": "lt"}], "description": "This update for openssl fixes the following issues:\n\n OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)\n\n Severity: High\n * OCSP Status Request extension unbounded memory growth (CVE-2016-6304)\n (bsc#999666)\n\n Severity: Low\n * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)\n * Constant time flag not preserved in DSA signing (CVE-2016-2178)\n (bsc#983249)\n * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)\n * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)\n * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)\n * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)\n * Birthday attack against 64-bit block ciphers (SWEET32) (CVE-2016-2183)\n (bsc#995359)\n * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)\n * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)\n * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)\n\n More information can be found on:\n <a rel=\"nofollow\" href=\"https://www.openssl.org/news/secadv/20160922.txt\">https://www.openssl.org/news/secadv/20160922.txt</a>\n\n Also following bugs were fixed:\n * update expired S/MIME certs (bsc#979475)\n * improve s390x performance (bsc#982745)\n * allow &gt;= 64GB AESGCM transfers (bsc#988591)\n * fix crash in print_notice (bsc#998190)\n * resume reading from /dev/urandom when interrupted by a signal\n (bsc#995075)\n\n", "edition": 1, "reporter": "Suse", "published": "2016-09-26T19:10:10", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for openssl (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-26T19:10:10", "id": "SUSE-SU-2016:2387-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:10:29", "references": ["https://launchpad.net/bugs/1626883", "https://usn.ubuntu.com/usn/usn-3087-1"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.0.1-4ubuntu5.38", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "16.04", "packageVersion": "1.0.2g-1ubuntu4.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "1.0.1f-1ubuntu2.21", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}], "description": "USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nShi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. (CVE-2016-6304)\n\nGuido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue has only been addressed in Ubuntu 16.04 LTS in this update. (CVE-2016-2177)\n\nC\u251c\u0119sar Pereida, Billy Brumley, and Yuval Yarom discovered that OpenSSL did not properly use constant-time operations when performing DSA signing. A remote attacker could possibly use this issue to perform a cache-timing attack and recover private DSA keys. (CVE-2016-2178)\n\nQuan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. (CVE-2016-2179)\n\nShi Lei discovered that OpenSSL incorrectly handled memory in the TS_OBJ_print_bio() function. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2180)\n\nIt was discovered that the OpenSSL incorrectly handled the DTLS anti-replay feature. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2181)\n\nShi Lei discovered that OpenSSL incorrectly validated division results. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2182)\n\nKarthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves DES from the HIGH cipher list to MEDIUM. (CVE-2016-2183)\n\nShi Lei discovered that OpenSSL incorrectly handled certain ticket lengths. A remote attacker could use this issue to cause a denial of service. (CVE-2016-6302)\n\nShi Lei discovered that OpenSSL incorrectly handled memory in the MDC2_Update() function. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-6303)\n\nShi Lei discovered that OpenSSL incorrectly performed certain message length checks. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-6306)", "edition": 3, "reporter": "Ubuntu", "published": "2016-09-23T00:00:00", "title": "OpenSSL regression", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-23T00:00:00", "id": "USN-3087-2", "href": "https://usn.ubuntu.com/3087-2/", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:57", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2179", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6302", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2181", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2178", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2182", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6304", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6306", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2183", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-6303", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2177", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2180"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "16.04", "packageVersion": "1.0.2g-1ubuntu4.4", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1.0.1-4ubuntu5.37", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "1.0.1f-1ubuntu2.20", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "libssl1.0.0", "operator": "lt"}], "description": "Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. (CVE-2016-6304)\n\nGuido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue has only been addressed in Ubuntu 16.04 LTS in this update. (CVE-2016-2177)\n\nC\u251c\u0119sar Pereida, Billy Brumley, and Yuval Yarom discovered that OpenSSL did not properly use constant-time operations when performing DSA signing. A remote attacker could possibly use this issue to perform a cache-timing attack and recover private DSA keys. (CVE-2016-2178)\n\nQuan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. (CVE-2016-2179)\n\nShi Lei discovered that OpenSSL incorrectly handled memory in the TS_OBJ_print_bio() function. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2180)\n\nIt was discovered that the OpenSSL incorrectly handled the DTLS anti-replay feature. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2181)\n\nShi Lei discovered that OpenSSL incorrectly validated division results. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-2182)\n\nKarthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves DES from the HIGH cipher list to MEDIUM. (CVE-2016-2183)\n\nShi Lei discovered that OpenSSL incorrectly handled certain ticket lengths. A remote attacker could use this issue to cause a denial of service. (CVE-2016-6302)\n\nShi Lei discovered that OpenSSL incorrectly handled memory in the MDC2_Update() function. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-6303)\n\nShi Lei discovered that OpenSSL incorrectly performed certain message length checks. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-6306)", "edition": 3, "reporter": "Ubuntu", "published": "2016-09-22T00:00:00", "title": "OpenSSL vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-22T00:00:00", "id": "USN-3087-1", "href": "https://usn.ubuntu.com/3087-1/", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "centos": [{"lastseen": "2017-10-03T18:25:25", "references": ["https://rhn.redhat.com/errata/RHSA-2016-1940.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-static-1.0.1e-51.el7_2.7.i686.rpm", "packageName": "openssl-static", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-devel-1.0.1e-51.el7_2.7.i686.rpm", "packageName": "openssl-devel", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm", "packageName": "openssl-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-1.0.1e-48.el6_8.3.src.rpm", "packageName": "openssl", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-1.0.1e-51.el7_2.7.src.rpm", "packageName": "openssl", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl-libs", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-static-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl-static", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl-static", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-devel-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl-devel", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-devel-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl-devel", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-perl-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl-perl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-libs-1.0.1e-51.el7_2.7.i686.rpm", "packageName": "openssl-libs", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm", "packageName": "openssl-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-1.0.1e-48.el6_8.3.x86_64.rpm", "packageName": "openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "packageFilename": "openssl-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "packageFilename": "openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm", "packageName": "openssl-static", "arch": "x86_64", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2016:1940\n\n\nOpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.\n\nSecurity Fix(es):\n\n* A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)\n\n* It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system. (CVE-2016-2178)\n\n* It was discovered that the Datagram TLS (DTLS) implementation could fail to release memory in certain cases. A malicious DTLS client could cause a DTLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory. (CVE-2016-2179)\n\n* A flaw was found in the Datagram TLS (DTLS) replay protection implementation in OpenSSL. A remote attacker could possibly use this flaw to make a DTLS server using OpenSSL to reject further packets sent from a DTLS client over an established DTLS connection. (CVE-2016-2181)\n\n* An out of bounds write flaw was discovered in the OpenSSL BN_bn2dec() function. An attacker able to make an application using OpenSSL to process a large BIGNUM could cause the application to crash or, possibly, execute arbitrary code. (CVE-2016-2182)\n\n* A flaw was found in the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)\n\nThis update mitigates the CVE-2016-2183 issue by lowering priority of DES cipher suites so they are not preferred over cipher suites using AES. For compatibility reasons, DES cipher suites remain enabled by default and included in the set of cipher suites identified by the HIGH cipher string. Future updates may move them to MEDIUM or not enable them by default.\n\n* An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets. (CVE-2016-6302)\n\n* Multiple integer overflow flaws were found in the way OpenSSL performed pointer arithmetic. A remote attacker could possibly use these flaws to cause a TLS/SSL server or client using OpenSSL to crash. (CVE-2016-2177)\n\n* An out of bounds read flaw was found in the way OpenSSL formatted Public Key Infrastructure Time-Stamp Protocol data for printing. An attacker could possibly cause an application using OpenSSL to crash if it printed time stamp data from the attacker. (CVE-2016-2180)\n\n* Multiple out of bounds read flaws were found in the way OpenSSL handled certain TLS/SSL protocol handshake messages. A remote attacker could possibly use these flaws to crash a TLS/SSL server or client using OpenSSL. (CVE-2016-6306)\n\nRed Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and CVE-2016-6306 and OpenVPN for reporting CVE-2016-2183. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304 and CVE-2016-6306; and Karthikeyan Bhargavan (Inria) and Ga\u00ebtan Leurent (Inria) as the original reporters of CVE-2016-2183.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-September/022096.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-September/022098.html\n\n**Affected packages:**\nopenssl\nopenssl-devel\nopenssl-libs\nopenssl-perl\nopenssl-static\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-1940.html", "edition": 1, "reporter": "CentOS Project", "published": "2016-09-28T14:48:04", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "openssl security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-29T15:15:39", "href": "http://lists.centos.org/pipermail/centos-announce/2016-September/022096.html", "id": "CESA-2016:1940", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2016-09-26T21:22:45", "references": ["https://access.redhat.com/security/cve/CVE-2016-6304", "https://access.redhat.com/security/cve/CVE-2016-2179", "https://access.redhat.com/security/cve/CVE-2016-2181", "https://access.redhat.com/security/cve/CVE-2016-2180", "https://access.redhat.com/security/cve/CVE-2016-6306", "https://access.redhat.com/security/cve/CVE-2016-6302", "https://access.redhat.com/security/cve/CVE-2016-2182", "https://access.redhat.com/security/cve/CVE-2016-2178", "https://access.redhat.com/security/cve/CVE-2016-6303", "https://www.openssl.org/news/secadv/20160922.txt", "https://access.redhat.com/security/cve/CVE-2016-2183", "https://access.redhat.com/security/cve/CVE-2016-2177"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "1:1.0.2.i-1", "packageFilename": "UNKNOWN", "packageName": "lib32-openssl", "arch": "any", "operator": "lt"}], "description": "- CVE-2016-6304 (denial of service)\n\nA malicious client can send an excessively large OCSP Status Request\nextension. If that client continually requests renegotiation, sending a\nlarge OCSP Status Request extension each time, then there will be\nunbounded memory growth on the server. This will eventually lead to a\nDenial Of Service attack through memory exhaustion. Servers with a\ndefault configuration are vulnerable even if they do not support OCSP.\nBuilds using the &quot;no-ocsp&quot; build time option are not affected.\n\n- CVE-2016-2178 (private key recovery)\n\nOperations in the DSA signing algorithm should run in constant time in\norder to avoid side channel attacks. A flaw in the OpenSSL DSA\nimplementation means that a non-constant time codepath is followed for\ncertain operations. This has been demonstrated through a cache-timing\nattack to be sufficient for an attacker to recover the private DSA key.\n\n- CVE-2016-2177 (denial of service)\n\nOpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-\nbuffer boundary checks, which might allow remote attackers to cause a\ndenial of service (integer overflow and application crash) or possibly\nhave unspecified other impact by leveraging unexpected malloc behavior,\nrelated to s3_srvr.c, ssl_sess.c, and t1_lib.c.\n\n- CVE-2016-2183 (information disclosure)\n\nSWEET32 (<A HREF=\"https://sweet32.info\">https://sweet32.info</A>) is an attack on older block cipher\nalgorithms that use a block size of 64 bits. In mitigation for the\nSWEET32 attack DES based ciphersuites have been moved from the HIGH\ncipherstring group to MEDIUM.\n\n- CVE-2016-2182 (arbitrary code execution)\n\nThe function BN_bn2dec() does not check the return value of\nBN_div_word(). This can cause an OOB write if an application uses this\nfunction with an overly large BIGNUM. This could be a problem if an\noverly large certificate or CRL is printed out from an untrusted\nsource. TLS is not affected because record limits will reject an\noversized certificate before it is parsed.\n\n- CVE-2016-6303 (arbitrary code execution)\n\nAn overflow can occur in MDC2_Update() either if called directly or\nthrough the EVP_DigestUpdate() function using MDC2. If an attacker is\nable to supply very large amounts of input data after a previous call t\nMVP_EncryptUpdate() with a partial block then a length check can\noverflow resulting in a heap corruption.\nThe amount of data needed is comparable to SIZE_MAX which is\nimpractical on most platforms.\n\n- CVE-2016-2179 (denial of service)\n\nIn a DTLS connection where handshake messages are delivered out-of-\norder those messages that OpenSSL is not yet ready to process will be\nbuffered for later use. Under certain circumstances, a flaw in the\nlogic means that those messages do not get removed from the buffer even\nthough the handshake has been completed.\nAn attacker could force up to approx. 15 messages to remain in the\nbuffer when they are no longer required. These messages will be cleared\nwhen the DTLS connection is closed. The default maximum size for a\nmessage is 100k. Therefore the attacker could force an additional 1500k\nto be consumed per connection. By opening many simultaneous\nconnections an attacker could cause a DoS attack through memory\nexhaustion.\n\n- CVE-2016-2180 (denial of service)\n\nThe function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value\nis the total length the OID text representation would use and not the\namount of data written. This will result in OOB reads when large OIDs\nare presented.\n\n- CVE-2016-2181 (denial of service)\n\nA flaw in the DTLS replay attack protection mechanism means that\nrecords that arrive for future epochs update the replay protection\n&quot;window&quot; before the MAC for the record has been validated. This could\nbe exploited by an attacker by sending a record for the next epoch\n(which does not have to decrypt or have a valid MAC), with a very large\nsequence number. This means that all subsequent legitimate packets are\ndropped causing a denial of service for a specific DTLS connection.\n\n- CVE-2016-6302 (denial of service)\n\nIf a server uses SHA512 for TLS session ticket HMAC it is vulnerable to\na DoS attack where a malformed ticket will result in an OOB read which\nwill ultimately crash.\nThe use of SHA512 in TLS session tickets is comparatively rare as it\nrequires a custom server callback and ticket lookup mechanism.\n\n- CVE-2016-6306 (denial of service)\n\nIn OpenSSL 1.0.2 and earlier some missing message length checks can\nresult in OOB reads of up to 2 bytes beyond an allocated buffer. There\nis a theoretical DoS risk but this has not been observed in practice on\ncommon platforms.\nThe messages affected are client certificate, client certificate\nrequest and server certificate. As a result the attack can only be\nperformed against a client or a server which enables client\nauthentication.", "edition": 1, "reporter": "Arch Linux", "published": "2016-09-26T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "archlinux", "title": "lib32-openssl: multiple issues", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-26T00:00:00", "id": "ASA-201609-24", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-September/000720.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T21:22:45", "references": ["https://access.redhat.com/security/cve/CVE-2016-6304", "https://access.redhat.com/security/cve/CVE-2016-2179", "https://access.redhat.com/security/cve/CVE-2016-2181", "https://access.redhat.com/security/cve/CVE-2016-2180", "https://access.redhat.com/security/cve/CVE-2016-6306", "https://access.redhat.com/security/cve/CVE-2016-6302", "https://access.redhat.com/security/cve/CVE-2016-2182", "https://access.redhat.com/security/cve/CVE-2016-2178", "https://access.redhat.com/security/cve/CVE-2016-6303", "https://www.openssl.org/news/secadv/20160922.txt", "https://access.redhat.com/security/cve/CVE-2016-2183", "https://access.redhat.com/security/cve/CVE-2016-2177"], "affectedPackage": [{"OS": "any", "OSVersion": "any", "packageVersion": "1.0.2.i-1", "packageName": "openssl", "packageFilename": "UNKNOWN", "arch": "any", "operator": "lt"}], "description": "- CVE-2016-6304 (denial of service)\n\nA malicious client can send an excessively large OCSP Status Request\nextension. If that client continually requests renegotiation, sending a\nlarge OCSP Status Request extension each time, then there will be\nunbounded memory growth on the server. This will eventually lead to a\nDenial Of Service attack through memory exhaustion. Servers with a\ndefault configuration are vulnerable even if they do not support OCSP.\nBuilds using the &quot;no-ocsp&quot; build time option are not affected.\n\n- CVE-2016-2178 (private key recovery)\n\nOperations in the DSA signing algorithm should run in constant time in\norder to avoid side channel attacks. A flaw in the OpenSSL DSA\nimplementation means that a non-constant time codepath is followed for\ncertain operations. This has been demonstrated through a cache-timing\nattack to be sufficient for an attacker to recover the private DSA key.\n\n- CVE-2016-2177 (denial of service)\n\nOpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-\nbuffer boundary checks, which might allow remote attackers to cause a\ndenial of service (integer overflow and application crash) or possibly\nhave unspecified other impact by leveraging unexpected malloc behavior,\nrelated to s3_srvr.c, ssl_sess.c, and t1_lib.c.\n\n- CVE-2016-2183 (information disclosure)\n\nSWEET32 (<A HREF=\"https://sweet32.info\">https://sweet32.info</A>) is an attack on older block cipher\nalgorithms that use a block size of 64 bits. In mitigation for the\nSWEET32 attack DES based ciphersuites have been moved from the HIGH\ncipherstring group to MEDIUM.\n\n- CVE-2016-2182 (arbitrary code execution)\n\nThe function BN_bn2dec() does not check the return value of\nBN_div_word(). This can cause an OOB write if an application uses this\nfunction with an overly large BIGNUM. This could be a problem if an\noverly large certificate or CRL is printed out from an untrusted\nsource. TLS is not affected because record limits will reject an\noversized certificate before it is parsed.\n\n- CVE-2016-6303 (arbitrary code execution)\n\nAn overflow can occur in MDC2_Update() either if called directly or\nthrough the EVP_DigestUpdate() function using MDC2. If an attacker is\nable to supply very large amounts of input data after a previous call t\nMVP_EncryptUpdate() with a partial block then a length check can\noverflow resulting in a heap corruption.\nThe amount of data needed is comparable to SIZE_MAX which is\nimpractical on most platforms.\n\n- CVE-2016-2179 (denial of service)\n\nIn a DTLS connection where handshake messages are delivered out-of-\norder those messages that OpenSSL is not yet ready to process will be\nbuffered for later use. Under certain circumstances, a flaw in the\nlogic means that those messages do not get removed from the buffer even\nthough the handshake has been completed.\nAn attacker could force up to approx. 15 messages to remain in the\nbuffer when they are no longer required. These messages will be cleared\nwhen the DTLS connection is closed. The default maximum size for a\nmessage is 100k. Therefore the attacker could force an additional 1500k\nto be consumed per connection. By opening many simultaneous\nconnections an attacker could cause a DoS attack through memory\nexhaustion.\n\n- CVE-2016-2180 (denial of service)\n\nThe function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value\nis the total length the OID text representation would use and not the\namount of data written. This will result in OOB reads when large OIDs\nare presented.\n\n- CVE-2016-2181 (denial of service)\n\nA flaw in the DTLS replay attack protection mechanism means that\nrecords that arrive for future epochs update the replay protection\n&quot;window&quot; before the MAC for the record has been validated. This could\nbe exploited by an attacker by sending a record for the next epoch\n(which does not have to decrypt or have a valid MAC), with a very large\nsequence number. This means that all subsequent legitimate packets are\ndropped causing a denial of service for a specific DTLS connection.\n\n- CVE-2016-6302 (denial of service)\n\nIf a server uses SHA512 for TLS session ticket HMAC it is vulnerable to\na DoS attack where a malformed ticket will result in an OOB read which\nwill ultimately crash.\nThe use of SHA512 in TLS session tickets is comparatively rare as it\nrequires a custom server callback and ticket lookup mechanism.\n\n- CVE-2016-6306 (denial of service)\n\nIn OpenSSL 1.0.2 and earlier some missing message length checks can\nresult in OOB reads of up to 2 bytes beyond an allocated buffer. There\nis a theoretical DoS risk but this has not been observed in practice on\ncommon platforms.\nThe messages affected are client certificate, client certificate\nrequest and server certificate. As a result the attack can only be\nperformed against a client or a server which enables client\nauthentication.", "edition": 1, "reporter": "Arch Linux", "published": "2016-09-26T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "archlinux", "title": "openssl: multiple issues", "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-26T00:00:00", "id": "ASA-201609-23", "href": "https://lists.archlinux.org/pipermail/arch-security/2016-September/000719.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-10-16T22:14:17", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "8", "packageVersion": "1.0.1t-1+deb8u4", "arch": "all", "packageFilename": "libssl-doc_1.0.1t-1+deb8u4_all.deb", "packageName": "libssl-doc", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.0.1t-1+deb8u4", "arch": "all", "packageFilename": "libssl1.0.0_1.0.1t-1+deb8u4_all.deb", "packageName": "libssl1.0.0", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.0.1t-1+deb8u4", "arch": "all", "packageFilename": "openssl_1.0.1t-1+deb8u4_all.deb", "packageName": "openssl", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.0.1t-1+deb8u4", "arch": "all", "packageFilename": "libssl1.0.0-dbg_1.0.1t-1+deb8u4_all.deb", "packageName": "libssl1.0.0-dbg", "operator": "lt"}, {"OS": "Debian", "OSVersion": "8", "packageVersion": "1.0.1t-1+deb8u4", "arch": "all", "packageFilename": "libssl-dev_1.0.1t-1+deb8u4_all.deb", "packageName": "libssl-dev", "operator": "lt"}], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3673-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 22, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : openssl\nCVE ID : CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 \n CVE-2016-2181 CVE-2016-2182 CVE-2016-2183 CVE-2016-6302\n CVE-2016-6303 CVE-2016-6304 CVE-2016-6306\n\nSeveral vulnerabilities were discovered in OpenSSL:\n\nCVE-2016-2177\n\n Guido Vranken discovered that OpenSSL uses undefined pointer\n arithmetic. Additional information can be found at\n https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ \n\nCVE-2016-2178\n\n Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing\n leak in the DSA code.\n\nCVE-2016-2179 / CVE-2016-2181\n\n Quan Luo and the OCAP audit team discovered denial of service\n vulnerabilities in DTLS.\n\nCVE-2016-2180 / CVE-2016-2182 / CVE-2016-6303\n\n Shi Lei discovered an out-of-bounds memory read in\n TS_OBJ_print_bio() and an out-of-bounds write in BN_bn2dec()\n and MDC2_Update().\n\nCVE-2016-2183\n\n DES-based cipher suites are demoted from the HIGH group to MEDIUM\n as a mitigation for the SWEET32 attack.\n\nCVE-2016-6302\n\n Shi Lei discovered that the use of SHA512 in TLS session tickets\n is susceptible to denial of service.\n\nCVE-2016-6304\n\n Shi Lei discovered that excessively large OCSP status request may\n result in denial of service via memory exhaustion.\n\nCVE-2016-6306\n\n Shi Lei discovered that missing message length validation when parsing\n certificates may potentially result in denial of service.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1.0.1t-1+deb8u4.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your openssl packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "reporter": "Debian", "published": "2016-09-22T16:50:31", "title": "[SECURITY] [DSA 3673-1] openssl security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-16T22:14:17", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-22T16:50:31", "id": "DEBIAN:DSA-3673-1:477A4", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00252.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-18T13:48:30", "references": [], "affectedPackage": [{"OS": "Debian", "OSVersion": "7", "packageVersion": "1.0.1t-1+deb7u1", "arch": "all", "packageFilename": "openssl_1.0.1t-1+deb7u1_all.deb", "packageName": "openssl", "operator": "lt"}], "description": "Package : openssl\nVersion : 1.0.1t-1+deb7u1\nCVE ID : CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-2180 \n CVE-2016-2181 CVE-2016-2182 CVE-2016-6302 CVE-2016-6303\n CVE-2016-6304 CVE-2016-6306\n\nSeveral vulnerabilities were discovered in OpenSSL:\n\nCVE-2016-2177\n\n Guido Vranken discovered that OpenSSL uses undefined pointer\n arithmetic. Additional information can be found at\n https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/\n\nCVE-2016-2178\n\n Cesar Pereida, Billy Brumley and Yuval Yarom discovered a timing\n leak in the DSA code.\n\nCVE-2016-2179 / CVE-2016-2181\n\n Quan Luo and the OCAP audit team discovered denial of service\n vulnerabilities in DTLS.\n\nCVE-2016-2180 / CVE-2016-2182 / CVE-2016-6303\n\n Shi Lei discovered an out-of-bounds memory read in\n TS_OBJ_print_bio() and an out-of-bounds write in BN_bn2dec()\n and MDC2_Update().\n\nCVE-2016-2183\n\n DES-based cipher suites are demoted from the HIGH group to MEDIUM\n as a mitigation for the SWEET32 attack.\n\nCVE-2016-6302\n\n Shi Lei discovered that the use of SHA512 in TLS session tickets\n is susceptible to denial of service.\n\nCVE-2016-6304\n\n Shi Lei discovered that excessively large OCSP status request may\n result in denial of service via memory exhaustion.\n\nCVE-2016-6306\n\n Shi Lei discovered that missing message length validation when parsing\n certificates may potentially result in denial of service.\n\nFor Debian 7 &quot;Wheezy&quot;, these problems have been fixed in version\n1.0.1t-1+deb7u1.\n\nWe recommend that you upgrade your openssl and libssl1.0.0 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 2, "reporter": "Debian", "published": "2016-09-25T11:55:21", "title": "[SECURITY] [DLA 637-1] openssl security update", "type": "debian", "enchantments": {"score": {"modified": "2018-10-18T13:48:30", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-25T11:55:21", "id": "DEBIAN:DLA-637-1:F8314", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201609/msg00029.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "cloudfoundry": [{"lastseen": "2018-09-07T03:26:05", "references": [], "description": "USN-3087-2 OpenSSL Regression\n\n# \n\nHigh\n\n# Vendor\n\nCanonical Ubuntu, OpenSSL\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS, OpenSSLv1\n\n# Description\n\nUSN-3087-1 fixed vulnerabilities in OpenSSL. The fix for [CVE-2016-2182](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2182.html>) was incomplete and caused a regression when parsing certificates. This update fixes the problem.\n\nOriginal advisory details: \nShi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. ([CVE-2016-6304](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6304.html>))\n\nC\u00e9sar Pereida, Billy Brumley, and Yuval Yarom discovered that OpenSSL did not properly use constant-time operations when performing DSA signing. A remote attacker could possibly use this issue to perform a cache-timing attack and recover private DSA keys. ([CVE-2016-2178](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2178.html>))\n\nQuan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. ([CVE-2016-2179](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2179.html>))\n\nShi Lei discovered that OpenSSL incorrectly handled memory in the TS_OBJ_print_bio() function. A remote attacker could possibly use this issue to cause a denial of service. ([CVE-2016-2180](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2180.html>))\n\nIt was discovered that the OpenSSL incorrectly handled the DTLS anti-replay feature. A remote attacker could possibly use this issue to cause a denial of service. ([CVE-2016-2181](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2181.html>))\n\nShi Lei discovered that OpenSSL incorrectly validated division results. A remote attacker could possibly use this issue to cause a denial of service. ([CVE-2016-2182](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2182.html>))\n\nKarthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves DES from the HIGH cipher list to MEDIUM. ([CVE-2016-2183](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2183.html>))\n\nShi Lei discovered that OpenSSL incorrectly handled certain ticket lengths. A remote attacker could use this issue to cause a denial of service. ([CVE-2016-6302](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6302.html>))\n\nShi Lei discovered that OpenSSL incorrectly handled memory in the MDC2_Update() function. A remote attacker could possibly use this issue to cause a denial of service. ([CVE-2016-6303](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6303.html>))\n\nShi Lei discovered that OpenSSL incorrectly performed certain message length checks. A remote attacker could possibly use this issue to cause a denial of service. ([CVE-2016-6306](<http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6306.html>))\n\n# Affected Products and Versions\n\n_Severity is high unless otherwise noted. \n_\n\n * Cloud Foundry BOSH stemcells 3146.x versions prior to 3146.23 AND 3232.x versions prior to 3232.21 AND other versions prior to 3262.16 are vulnerable\n * All versions of Cloud Foundry cflinuxfs2 prior to v.1.84.0\n\n# Mitigation\n\nUsers of affected versions should apply the following mitigation:\n\n * The Cloud Foundry team has released patched BOSH stemcells 3146.23, 3232.21, and 3262.16 with an upgraded Linux kernel that resolves the aforementioned issues. We recommend that Operators upgrade BOSH stemcell 3146.x versions to 3146.23 OR 3232.x versions to 3232.21 OR 3262.x versions to 3262.16.\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 v.1.84.0 or later versions\n\n# Credit\n\nKarthik Bhargavan, Billy Brumley, Shi Lei, Gaetan Leurent, Quan Luo, C\u00e9sar Pereida, and Yuval Yarom\n\n# References\n\n * <http://www.ubuntu.com/usn/usn-3087-1/>\n * <http://www.ubuntu.com/usn/usn-3087-2/>\n * <http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-6304.html>\n", "edition": 4, "reporter": "Cloud Foundry", "published": "2016-09-28T00:00:00", "title": "USN-3087-2 OpenSSL Regression | Cloud Foundry", "type": "cloudfoundry", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-28T00:00:00", "id": "CFOUNDRY:927660022E9A31CE680A6AE3AFF33997", "href": "https://www.cloudfoundry.org/blog/usn-3087-2/", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "aix": [{"lastseen": "2018-08-31T00:08:33", "aixFileset": [{"productVersions": ["any"], "versionGte": "1.0.2.500", "fileset": "openssl.base", "versionLte": "1.0.2.800", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "1.0.1.500", "fileset": "openssl.base", "versionLte": "1.0.1.516", "productName": "aix"}, {"productVersions": ["any"], "versionGte": "20.11.101.500", "fileset": "openssl.base", "versionLte": "20.11.101.501", "productName": "aix"}], "references": [], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Mon Nov 14 13:29:26 CST 2016 \n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc\nhttps://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc\nftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc\n\n\nSecurity Bulletin: Vulnerabilities in OpenSSL affect AIX \n CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181,\n CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304,\n CVE-2016-6306, CVE-2016-7052\n\n===============================================================================\n\nSUMMARY:\n\n OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the\n OpenSSL Project. OpenSSL is used by AIX. AIX has addressed the applicable \n CVEs.\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2016-2177\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177\n DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the\n incorrect use of pointer arithmetic for heap-buffer boundary checks.\n By leveraging unexpected malloc behavior, a remote attacker could\n exploit this vulnerability to trigger an integer overflow and cause\n the application to crash. \n CVSS Base Score: 5.9\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/113890 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n CVEID: CVE-2016-2178\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178\n DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive\n information, caused by an error in the DSA implementation that\n allows the following of a non-constant time codepath for certain\n operations. An attacker could exploit this vulnerability using a\n cache-timing attack to recover the private DSA key. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/113889 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n CVEID: CVE-2016-2179\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179\n DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending\n specially crafted DTLS record fragments to fill up buffer queues, a\n remote attacker could exploit this vulnerability to open a large\n number of simultaneous connections and consume all available memory \n resources. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/116343 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2016-2180\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180\n DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an\n out-of-bounds read in the TS_OBJ_print_bio function. A remote attacker\n could exploit this vulnerability using a specially crafted time-stamp\n file to cause the application to crash. \n CVSS Base Score: 7.5\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/115829 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n CVEID: CVE-2016-2181\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181\n DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an\n error in the DTLS replay protection implementation. By sending a\n specially crafted sequence number, a remote attacker could exploit\n this vulnerability to cause valid packets to be dropped. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/116344 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2016-2182\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182\n DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an\n out-of-bounds write in the TS_OBJ_print_bio function in\n crypto/bn/bn_print.c. A remote attacker could exploit this\n vulnerability using a specially crafted value to cause the application\n to crash. \n CVSS Base Score: 4.3\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/116342 for the \n\tcurrent score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2016-2183\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183\n DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive\n information, caused by an error in the in the Triple-DES on 64-bit\n block cipher, used as a part of the SSL/TLS protocol. By capturing\n large amounts of encrypted traffic between the SSL/TLS server and the\n client, a remote attacker able to conduct a man-in-the-middle attack\n could exploit this vulnerability to recover the plaintext data and\n obtain sensitive information. This vulnerability is known as the\n SWEET32 Birthday attack. \n CVSS Base Score: 3.7\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n CVEID: CVE-2016-6302\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302\n DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the\n failure to consider the HMAC size during validation of the ticket\n length by the tls_decrypt_ticket function A remote attacker could \n exploit this vulnerability using a ticket that is too short to cause\n a denial of service. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/117024 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2016-6303\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303\n DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an\n integer overflow in the MDC2_Update function. By using unknown\n attack vectors, a remote attacker could exploit this vulnerability to\n trigger an out-of-bounds write and cause the application to crash. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/117023 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n \n CVEID: CVE-2016-6304\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304\n DESCRIPTION: OpenSSL is vulnerable to a denial of service. By repeatedly\n requesting renegotiation, a remote authenticated attacker could send\n an overly large OCSP Status Request extension to consume all available\n memory resources. \n CVSS Base Score: 7.5\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/117110 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\n CVEID: CVE-2016-6306\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306\n DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by\n missing message length checks when parsing certificates. A remote\n authenticated attacker could exploit this vulnerability to trigger an \n out-of-bounds read and cause a denial of service. \n CVSS Base Score: 4.3\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/117112 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2016-7052\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7052\n DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a\n missing CRL sanity check. By attempting to use CRLs, a remote attacker\n could exploit this vulnerability to cause the application to crash. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/117149 for the \n current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n\n The following fileset levels are vulnerable:\n \n key_fileset = osrcaix\n\n Fileset Lower Level Upper Level KEY \n --------------------------------------------------\n openssl.base 1.0.1.500 1.0.1.516 key_w_fs\n openssl.base 1.0.2.500 1.0.2.800 key_w_fs\n openssl.base 20.11.101.500 20.11.101.501 key_w_fs\n\n Note: 0.9.8 openSSL version is out-of-support. Customers are advised\n to upgrade to currently supported openSSL 1.0.2 version.\n\n Note: To find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in the AIX user's\n guide.\n\n Example: lslpp -L | grep -i openssl.base\n\n REMEDIATION:\n\n A. FIXES\n\n A fix is available, and it can be downloaded from:\n\n https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=aixbp\n\n To extract the fixes from the tar file:\n\n For Openssl 1.0.1 version - \n zcat openssl-1.0.1.517.tar.Z | tar xvf -\n\n For Openssl 1.0.2 version - \n zcat openssl-1.0.2.1000.tar.Z | tar xvf -\n\n For 1.0.1 FIPS capable openssl version - \n zcat openssl-20.13.101.500.tar.Z | tar xvf - \n\n For 1.0.2 FIPS capable openssl version -\n zcat openssl-20.13.102.1000.tar.Z | tar xvf -\n\t \t \n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n Note that all the previously reported security vulnerability fixes\n are also included in above mentioned fileset level. Please refer to \n the readme file (provided along with the fileset) for the complete\n list of vulnerabilities fixed.\n\n To preview the fix installation:\n\n installp -apYd . openssl\n\n To install the fix package:\n\n installp -aXYd . openssl\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc.sig\n\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n https://www.ibm.com/support/mynotifications\n\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can :\n\n A. Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n https://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\n Complete CVSS v2 Guide: http://www.first.org/cvss/v2/guide\n https://www.first.org/cvss/v2/guide\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n https://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n\n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n https://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n https://www.first.org/cvss/calculator/3.0\n\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Mon Nov 14 13:29:26 CST 2016 \n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n", "edition": 3, "reporter": "CentOS Project", "published": "2016-11-14T13:29:26", "title": "Vulnerabilities in OpenSSL affect AIX", "type": "aix", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "aix": {"apars": []}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-7052", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-11-14T13:29:26", "id": "OPENSSL_ADVISORY21.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/openssl_advisory21.asc", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:46:55", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-libs-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "i686", "packageFilename": "openssl-static-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "i686", "packageFilename": "openssl-perl-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "i686", "packageFilename": "openssl-libs-1.0.1e-51.el7_2.7.i686.rpm", "packageName": "openssl-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "src", "packageFilename": "openssl-1.0.1e-51.el7_2.7.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-1.0.1e-48.el6_8.3.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "i686", "packageFilename": "openssl-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "i686", "packageFilename": "openssl-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1e-48.el6_8.3.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1e-48.el6_8.3.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1e-48.el6_8.3.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-51.el7_2.7.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1e-51.el7_2.7.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "src", "packageFilename": "openssl-1.0.1e-48.el6_8.3.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "src", "packageFilename": "openssl-1.0.1e-48.el6_8.3.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.el7_2.7", "arch": "i686", "packageFilename": "openssl-static-1.0.1e-51.el7_2.7.i686.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.el6_8.3", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-48.el6_8.3.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}], "description": "[1.0.1e-48.3]\n- fix CVE-2016-2177 - possible integer overflow\n- fix CVE-2016-2178 - non-constant time DSA operations\n- fix CVE-2016-2179 - further DoS issues in DTLS\n- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()\n- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue\n- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()\n- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check\n- fix CVE-2016-6304 - unbound memory growth with OCSP status request\n- fix CVE-2016-6306 - certificate message OOB reads\n- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to\n 112 bit effective strength\n- replace expired testing certificates", "edition": 3, "reporter": "Oracle", "published": "2016-09-27T00:00:00", "title": "openssl security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-27T00:00:00", "id": "ELSA-2016-1940", "href": "http://linux.oracle.com/errata/ELSA-2016-1940.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:49:27", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-libs-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-51.ksplice1.el7_2.7.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "i686", "packageFilename": "openssl-1.0.1e-48.ksplice1.el6_8.3.i686.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-perl-1.0.1e-48.ksplice1.el6_8.3.x86_64.rpm", "packageName": "openssl-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-1.0.1e-48.ksplice1.el6_8.3.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "src", "packageFilename": "openssl-1.0.1e-51.ksplice1.el7_2.7.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-static-1.0.1e-48.ksplice1.el6_8.3.x86_64.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "i686", "packageFilename": "openssl-libs-1.0.1e-51.ksplice1.el7_2.7.i686.rpm", "packageName": "openssl-libs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "x86_64", "packageFilename": "openssl-devel-1.0.1e-48.ksplice1.el6_8.3.x86_64.rpm", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "src", "packageFilename": "openssl-1.0.1e-48.ksplice1.el6_8.3.src.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "x86_64", "packageFilename": "openssl-1.0.1e-51.ksplice1.el7_2.7.x86_64.rpm", "packageName": "openssl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "1.0.1e-51.ksplice1.el7_2.7", "arch": "i686", "packageFilename": "openssl-static-1.0.1e-51.ksplice1.el7_2.7.i686.rpm", "packageName": "openssl-static", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "1.0.1e-48.ksplice1.el6_8.3", "arch": "i686", "packageFilename": "openssl-devel-1.0.1e-48.ksplice1.el6_8.3.i686.rpm", "packageName": "openssl-devel", "operator": "lt"}], "description": "[1.0.1e-48.3]\n- fix CVE-2016-2177 - possible integer overflow\n- fix CVE-2016-2178 - non-constant time DSA operations\n- fix CVE-2016-2179 - further DoS issues in DTLS\n- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()\n- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue\n- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()\n- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check\n- fix CVE-2016-6304 - unbound memory growth with OCSP status request\n- fix CVE-2016-6306 - certificate message OOB reads\n- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to\n 112 bit effective strength\n- replace expired testing certificates\n[1.0.1e-48.1]\n- fix CVE-2016-2105 - possible overflow in base64 encoding\n- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()\n- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC\n- fix CVE-2016-2108 - memory corruption in ASN.1 encoder\n- fix CVE-2016-2109 - possible DoS when reading ASN.1 data from BIO\n- fix CVE-2016-0799 - memory issues in BIO_printf\n[1.0.1e-48]\n- fix CVE-2016-0702 - side channel attack on modular exponentiation\n- fix CVE-2016-0705 - double-free in DSA private key parsing\n- fix CVE-2016-0797 - heap corruption in BN_hex2bn and BN_dec2bn\n[1.0.1e-47]\n- fix CVE-2015-3197 - SSLv2 ciphersuite enforcement\n- disable SSLv2 in the generic TLS method\n[1.0.1e-46]\n- fix 1-byte memory leak in pkcs12 parse (#1229871)\n- document some options of the speed command (#1197095)\n[1.0.1e-45]\n- fix high-precision timestamps in timestamping authority\n[1.0.1e-44]\n- fix CVE-2015-7575 - disallow use of MD5 in TLS1.2\n[1.0.1e-43]\n- fix CVE-2015-3194 - certificate verify crash with missing PSS parameter\n- fix CVE-2015-3195 - X509_ATTRIBUTE memory leak\n- fix CVE-2015-3196 - race condition when handling PSK identity hint\n[1.0.1e-42]\n- fix regression caused by mistake in fix for CVE-2015-1791\n[1.0.1e-41]\n- improved fix for CVE-2015-1791\n- add missing parts of CVE-2015-0209 fix for corectness although unexploitable\n[1.0.1e-40]\n- fix CVE-2014-8176 - invalid free in DTLS buffering code\n- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time\n- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent\n- fix CVE-2015-1791 - race condition handling NewSessionTicket\n- fix CVE-2015-1792 - CMS verify infinite loop with unknown hash function\n[1.0.1e-39]\n- fix CVE-2015-3216 - regression in RAND locking that can cause segfaults on\n read in multithreaded applications\n[1.0.1e-38]\n- fix CVE-2015-4000 - prevent the logjam attack on client - restrict\n the DH key size to at least 768 bits (limit will be increased in future)\n[1.0.1e-37]\n- drop the AES-GCM restriction of 2^32 operations because the IV is\n always 96 bits (32 bit fixed field + 64 bit invocation field)\n[1.0.1e-36]\n- update fix for CVE-2015-0287 to what was released upstream\n[1.0.1e-35]\n- fix CVE-2015-0209 - potential use after free in d2i_ECPrivateKey()\n- fix CVE-2015-0286 - improper handling of ASN.1 boolean comparison\n- fix CVE-2015-0287 - ASN.1 structure reuse decoding memory corruption\n- fix CVE-2015-0288 - X509_to_X509_REQ NULL pointer dereference\n- fix CVE-2015-0289 - NULL dereference decoding invalid PKCS#7 data\n- fix CVE-2015-0292 - integer underflow in base64 decoder\n- fix CVE-2015-0293 - triggerable assert in SSLv2 server\n[1.0.1e-34]\n- copy digest algorithm when handling SNI context switch\n- improve documentation of ciphersuites - patch by Hubert Kario\n- add support for setting Kerberos service and keytab in\n s_server and s_client\n[1.0.1e-33]\n- fix CVE-2014-3570 - incorrect computation in BN_sqr()\n- fix CVE-2014-3571 - possible crash in dtls1_get_record()\n- fix CVE-2014-3572 - possible downgrade of ECDH ciphersuite to non-PFS state\n- fix CVE-2014-8275 - various certificate fingerprint issues\n- fix CVE-2015-0204 - remove support for RSA ephemeral keys for non-export\n ciphersuites and on server\n- fix CVE-2015-0205 - do not allow unauthenticated client DH certificate\n- fix CVE-2015-0206 - possible memory leak when buffering DTLS records\n[1.0.1e-32]\n- use FIPS approved method for computation of d in RSA\n[1.0.1e-31]\n- fix CVE-2014-3567 - memory leak when handling session tickets\n- fix CVE-2014-3513 - memory leak in srtp support\n- add support for fallback SCSV to partially mitigate CVE-2014-3566\n (padding attack on SSL3)\n[1.0.1e-30]\n- add ECC TLS extensions to DTLS (#1119800)\n[1.0.1e-29]\n- fix CVE-2014-3505 - doublefree in DTLS packet processing\n- fix CVE-2014-3506 - avoid memory exhaustion in DTLS\n- fix CVE-2014-3507 - avoid memory leak in DTLS\n- fix CVE-2014-3508 - fix OID handling to avoid information leak\n- fix CVE-2014-3509 - fix race condition when parsing server hello\n- fix CVE-2014-3510 - fix DoS in anonymous (EC)DH handling in DTLS\n- fix CVE-2014-3511 - disallow protocol downgrade via fragmentation\n[1.0.1e-28]\n- fix CVE-2014-0224 fix that broke EAP-FAST session resumption support\n[1.0.1e-26]\n- drop EXPORT, RC2, and DES from the default cipher list (#1057520)\n- print ephemeral key size negotiated in TLS handshake (#1057715)\n- do not include ECC ciphersuites in SSLv2 client hello (#1090952)\n- properly detect encryption failure in BIO (#1100819)\n- fail on hmac integrity check if the .hmac file is empty (#1105567)\n- FIPS mode: make the limitations on DSA, DH, and RSA keygen\n length enforced only if OPENSSL_ENFORCE_MODULUS_BITS environment\n variable is set\n[1.0.1e-25]\n- fix CVE-2010-5298 - possible use of memory after free\n- fix CVE-2014-0195 - buffer overflow via invalid DTLS fragment\n- fix CVE-2014-0198 - possible NULL pointer dereference\n- fix CVE-2014-0221 - DoS from invalid DTLS handshake packet\n- fix CVE-2014-0224 - SSL/TLS MITM vulnerability\n- fix CVE-2014-3470 - client-side DoS when using anonymous ECDH\n[1.0.1e-24]\n- add back support for secp521r1 EC curve\n[1.0.1e-23]\n- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension\n[1.0.1e-22]\n- use 2048 bit RSA key in FIPS selftests\n[1.0.1e-21]\n- add DH_compute_key_padded needed for FIPS CAVS testing\n- make 3des strength to be 128 bits instead of 168 (#1056616)\n- FIPS mode: do not generate DSA keys and DH parameters < 2048 bits\n- FIPS mode: use approved RSA keygen (allows only 2048 and 3072 bit keys)\n- FIPS mode: add DH selftest\n- FIPS mode: reseed DRBG properly on RAND_add()\n- FIPS mode: add RSA encrypt/decrypt selftest\n- FIPS mode: add hard limit for 2^32 GCM block encryptions with the same key\n- use the key length from configuration file if req -newkey rsa is invoked\n[1.0.1e-20]\n- fix CVE-2013-4353 - Invalid TLS handshake crash\n[1.0.1e-19]\n- fix CVE-2013-6450 - possible MiTM attack on DTLS1\n[1.0.1e-18]\n- fix CVE-2013-6449 - crash when version in SSL structure is incorrect\n[1.0.1e-17]\n- add back some no-op symbols that were inadvertently dropped\n[1.0.1e-16]\n- do not advertise ECC curves we do not support\n- fix CPU identification on Cyrix CPUs\n[1.0.1e-15]\n- make DTLS1 work in FIPS mode\n- avoid RSA and DSA 512 bits and Whirlpool in 'openssl speed' in FIPS mode\n[1.0.1e-14]\n- installation of dracut-fips marks that the FIPS module is installed\n[1.0.1e-13]\n- avoid dlopening libssl.so from libcrypto\n[1.0.1e-12]\n- fix small memory leak in FIPS aes selftest\n- fix segfault in openssl speed hmac in the FIPS mode\n[1.0.1e-11]\n- document the nextprotoneg option in manual pages\n original patch by Hubert Kario\n[1.0.1e-9]\n- always perform the FIPS selftests in library constructor\n if FIPS module is installed\n[1.0.1e-8]\n- fix use of rdrand if available\n- more commits cherry picked from upstream\n- documentation fixes\n[1.0.1e-7]\n- additional manual page fix\n- use symbol versioning also for the textual version\n[1.0.1e-6]\n- additional manual page fixes\n- cleanup speed command output for ECDH ECDSA\n[1.0.1e-5]\n- use _prefix macro\n[1.0.1e-4]\n- add relro linking flag\n[1.0.1e-2]\n- add support for the -trusted_first option for certificate chain verification\n[1.0.1e-1]\n- rebase to the 1.0.1e upstream version\n[1.0.0-28]\n- fix for CVE-2013-0169 - SSL/TLS CBC timing attack (#907589)\n- fix for CVE-2013-0166 - DoS in OCSP signatures checking (#908052)\n- enable compression only if explicitly asked for or OPENSSL_DEFAULT_ZLIB\n environment variable is set (fixes CVE-2012-4929 #857051)\n- use __secure_getenv() everywhere instead of getenv() (#839735)\n[1.0.0-27]\n- fix sslrand(1) and sslpasswd(1) reference in openssl(1) manpage (#841645)\n- drop superfluous lib64 fixup in pkgconfig .pc files (#770872)\n- force BIO_accept_new(*:\n) to listen on IPv4\n[1.0.0-26]\n- use PKCS#8 when writing private keys in FIPS mode as the old\n PEM encryption mode is not FIPS compatible (#812348)\n[1.0.0-25]\n- fix for CVE-2012-2333 - improper checking for record length in DTLS (#820686)\n- properly initialize tkeylen in the CVE-2012-0884 fix\n[1.0.0-24]\n- fix for CVE-2012-2110 - memory corruption in asn1_d2i_read_bio() (#814185)\n[1.0.0-23]\n- fix problem with the SGC restart patch that might terminate handshake\n incorrectly\n- fix for CVE-2012-0884 - MMA weakness in CMS and PKCS#7 code (#802725)\n- fix for CVE-2012-1165 - NULL read dereference on bad MIME headers (#802489)\n[1.0.0-22]\n- fix incorrect encryption of unaligned chunks in CFB, OFB and CTR modes\n[1.0.0-21]\n- fix for CVE-2011-4108 & CVE-2012-0050 - DTLS plaintext recovery\n vulnerability and additional DTLS fixes (#771770)\n- fix for CVE-2011-4576 - uninitialized SSL 3.0 padding (#771775)\n- fix for CVE-2011-4577 - possible DoS through malformed RFC 3779 data (#771778)\n- fix for CVE-2011-4619 - SGC restart DoS attack (#771780)\n[1.0.0-20]\n- fix x86cpuid.pl - patch by Paolo Bonzini\n[1.0.0-19]\n- add known answer test for SHA2 algorithms\n[1.0.0-18]\n- fix missing initialization of a variable in the CHIL engine (#740188)\n[1.0.0-17]\n- initialize the X509_STORE_CTX properly for CRL lookups - CVE-2011-3207\n (#736087)\n[1.0.0-16]\n- merge the optimizations for AES-NI, SHA1, and RC4 from the intelx\n engine to the internal implementations\n[1.0.0-15]\n- better documentation of the available digests in apps (#693858)\n- backported CHIL engine fixes (#693863)\n- allow testing build without downstream patches (#708511)\n- enable partial RELRO when linking (#723994)\n- add intelx engine with improved performance on new Intel CPUs\n- add OPENSSL_DISABLE_AES_NI environment variable which disables\n the AES-NI support (does not affect the intelx engine)\n[1.0.0-14]\n- use the AES-NI engine in the FIPS mode\n[1.0.0-11]\n- add API necessary for CAVS testing of the new DSA parameter generation\n[1.0.0-10]\n- fix OCSP stapling vulnerability - CVE-2011-0014 (#676063)\n- correct the README.FIPS document", "edition": 3, "reporter": "Oracle", "published": "2016-09-27T00:00:00", "title": "openssl security update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-4000", "CVE-2013-0166", "CVE-2014-3505", "CVE-2012-2333", "CVE-2014-3508", "CVE-2015-1792", "CVE-2014-3566", "CVE-2015-3197", "CVE-2011-4108", "CVE-2014-3572", "CVE-2016-6306", "CVE-2016-0705", "CVE-2015-0206", "CVE-2015-1789", "CVE-2016-2183", "CVE-2013-0169", "CVE-2015-0286", "CVE-2013-6449", "CVE-2016-2178", "CVE-2014-3507", "CVE-2015-3195", "CVE-2016-2108", "CVE-2011-4576", "CVE-2014-3571", "CVE-2016-0799", "CVE-2016-6302", "CVE-2014-3513", "CVE-2016-2177", "CVE-2015-0288", "CVE-2012-1165", "CVE-2011-4577", "CVE-2014-0224", "CVE-2016-2105", "CVE-2015-3194", "CVE-2016-2107", "CVE-2011-4619", "CVE-2014-3511", "CVE-2011-0014", "CVE-2014-8275", "CVE-2016-2180", "CVE-2016-0797", "CVE-2016-0702", "CVE-2014-3570", "CVE-2015-7575", "CVE-2015-3196", "CVE-2014-3470", "CVE-2014-3506", "CVE-2016-2109", "CVE-2012-4929", "CVE-2016-2181", "CVE-2016-6304", "CVE-2013-6450", "CVE-2012-0050", "CVE-2015-0293", "CVE-2010-5298", "CVE-2014-0160", "CVE-2014-8176", "CVE-2013-4353", "CVE-2014-0195", "CVE-2014-0198", "CVE-2015-0209", "CVE-2014-3567", "CVE-2015-0204", "CVE-2012-2110", "CVE-2012-0884", "CVE-2015-1790", "CVE-2014-3510", "CVE-2016-2182", "CVE-2015-0287", "CVE-2011-3207", "CVE-2015-0289", "CVE-2015-3216", "CVE-2015-0292", "CVE-2015-0205", "CVE-2016-2179", "CVE-2016-2106", "CVE-2014-3509", "CVE-2015-1791", "CVE-2014-0221"], "modified": "2016-09-27T00:00:00", "id": "ELSA-2016-3621", "href": "http://linux.oracle.com/errata/ELSA-2016-3621.html", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2018-08-31T00:36:44", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.0.1u", "arch": "i486", "packageFilename": "openssl-1.0.1u-i486-1_slack14.0.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.0.1u", "arch": "x86_64", "packageFilename": "openssl-solibs-1.0.1u-x86_64-1_slack14.0.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.0.1u", "arch": "x86_64", "packageFilename": "openssl-1.0.1u-x86_64-1_slack14.0.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "1.0.1u", "arch": "i486", "packageFilename": "openssl-solibs-1.0.1u-i486-1_slack14.0.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "1.0.2i", "arch": "x86_64", "packageFilename": "openssl-solibs-1.0.2i-x86_64-1_slack14.2.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "1.0.2i", "arch": "x86_64", "packageFilename": "openssl-1.0.2i-x86_64-1_slack14.2.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "1.0.2i", "arch": "i586", "packageFilename": "openssl-1.0.2i-i586-1_slack14.2.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.0.1u", "arch": "x86_64", "packageFilename": "openssl-1.0.1u-x86_64-1_slack14.1.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.0.1u", "arch": "i486", "packageFilename": "openssl-solibs-1.0.1u-i486-1_slack14.1.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.0.1u", "arch": "i486", "packageFilename": "openssl-1.0.1u-i486-1_slack14.1.txz", "packageName": "openssl", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "1.0.2i", "arch": "i586", "packageFilename": "openssl-solibs-1.0.2i-i586-1_slack14.2.txz", "packageName": "openssl-solibs", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "1.0.1u", "arch": "x86_64", "packageFilename": "openssl-solibs-1.0.1u-x86_64-1_slack14.1.txz", "packageName": "openssl-solibs", "operator": "lt"}], "description": "New openssl packages are available for Slackware 14.0, 14.1, 14.2, and -current\nto fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/openssl-1.0.2i-i586-1_slack14.2.txz: Upgraded.\n This update fixes denial-of-service and other security issues.\n For more information, see:\n https://www.openssl.org/news/secadv/20160922.txt\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6305\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6306\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6307\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6308\n (* Security fix *)\npatches/packages/openssl-solibs-1.0.2i-i586-1_slack14.2.txz: Upgraded.\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-1.0.1u-i486-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/openssl-solibs-1.0.1u-i486-1_slack14.0.txz\n\nUpdated packages for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-1.0.1u-x86_64-1_slack14.0.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/openssl-solibs-1.0.1u-x86_64-1_slack14.0.txz\n\nUpdated packages for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-1.0.1u-i486-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/openssl-solibs-1.0.1u-i486-1_slack14.1.txz\n\nUpdated packages for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-1.0.1u-x86_64-1_slack14.1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/openssl-solibs-1.0.1u-x86_64-1_slack14.1.txz\n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-1.0.2i-i586-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/openssl-solibs-1.0.2i-i586-1_slack14.2.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-1.0.2i-x86_64-1_slack14.2.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/openssl-solibs-1.0.2i-x86_64-1_slack14.2.txz\n\nUpdated packages for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/a/openssl-solibs-1.0.2i-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/openssl-1.0.2i-i586-1.txz\n\nUpdated packages for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/a/openssl-solibs-1.0.2i-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/openssl-1.0.2i-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 packages:\ne6d4b3a76383f9f253da4128ba23f269 openssl-1.0.1u-i486-1_slack14.0.txz\nc61d31a1751ae39af89d3fee0b54f0d8 openssl-solibs-1.0.1u-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 packages:\n96be19e6a96c9beb5d3bbc55348fb483 openssl-1.0.1u-x86_64-1_slack14.0.txz\nb7a8fa2ebd16c8ae106fc1267bc29eca openssl-solibs-1.0.1u-x86_64-1_slack14.0.txz\n\nSlackware 14.1 packages:\n099b960e62eaea5d1a639a61a2fabca7 openssl-1.0.1u-i486-1_slack14.1.txz\nb5d5219e05db97f63c4d6c389d6884fb openssl-solibs-1.0.1u-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 packages:\nfc96c87d76c9d1efd1290ac847fa7c7c openssl-1.0.1u-x86_64-1_slack14.1.txz\ne873b66f84f45ea34d028a3d524ce573 openssl-solibs-1.0.1u-x86_64-1_slack14.1.txz\n\nSlackware 14.2 packages:\n85ebfd338921f2818e84e0ad07b3cf1c openssl-1.0.2i-i586-1_slack14.2.txz\n5d8aa37736b364beabda0bb50f6b87b1 openssl-solibs-1.0.2i-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 packages:\n6a98076465b9e7f2bca791ae957787f5 openssl-1.0.2i-x86_64-1_slack14.2.txz\n1aa557b1c5cd8f6ce2a5986395ae47c9 openssl-solibs-1.0.2i-x86_64-1_slack14.2.txz\n\nSlackware -current packages:\nceebd7f21ac6e9cb2c94d808ef7e83fc a/openssl-solibs-1.0.2i-i586-1.txz\nfaef6f627e1eda3c99f1507005042ec7 n/openssl-1.0.2i-i586-1.txz\n\nSlackware x86_64 -current packages:\n8c4fb36e01b7943504d24ca4a913b83d a/openssl-solibs-1.0.2i-x86_64-1.txz\n75e17a5b960c2cfa7e8803dd52c072a1 n/openssl-1.0.2i-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg openssl-1.0.2i-i586-1_slack14.2.txz openssl-solibs-1.0.2i-i586-1_slack14.2.txz", "edition": 3, "reporter": "Slackware Linux Project", "published": "2016-09-22T11:53:12", "title": "openssl", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6305", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-09-22T11:53:12", "id": "SSA-2016-266-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.629460", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "cisco": [{"lastseen": "2018-06-28T08:34:40", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"], "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl"], "description": "A vulnerability in OpenSSL could allow an unauthenticated, remote attacker to access sensitive information.\n\nThe vulnerability is due to a cipher block collision that may occur during an encrypted session where OpenSSL uses a 64-bit block cipher, such as 3DES Cipher Block Chaining (CBC) mode. An attacker who is able to capture nearly a terabyte of network traffic could exploit this vulnerability to monitor a cipher block collision, which could be leveraged to decrypt data in transit and gain access to sensitive information. A successful exploit could be leveraged to conduct further attacks.\n\nA vulnerability in OpenSSL could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.\n\nThe vulnerability is due to insufficient bounds checking by the affected software. An attacker could exploit this vulnerability by sending a\nmessage that is larger than 16 KB to a targeted system. An exploit could\ntrigger a use-after-free condition that the attacker could leverage to execute\narbitrary code or cause the affected\napplication to crash, resulting in a DoS condition.\n\nA vulnerability in the Online Certificate Status Protocol (OCSP) stapling implementation of OpenSSL could allow an unauthenticated, remote attacker to keep consuming memory on the targeted system. The vulnerability is due to the implementation of the OCSP Status Request SSL/TLS extension. \n\nAn attacker could exploit this vulnerability by establishing an SSL/TLS session to the targeted system and iteratively performing renegotiation, sending an OCSP Status Request each time. An exploit could allow the attacker to indefinitely keep increasing the memory allocated to the process that is running the vulnerable OpenSSL code.\n\nA vulnerability in the code handling for Certificate Revocation Lists (CRL)\nin OpenSSL could allow an unauthenticated, remote attacker to trigger a\ncrash of the targeted system, resulting in a denial of service (DoS)\ncondition.\n\nThe vulnerability is due to a missing CRL sanity\ncheck. An attacker could exploit this vulnerability by triggering the\ntarget to perform a CRL-related operation.\n\nMultiple vulnerabilities in OpenSSL could allow an unauthenticated, remote attacker to access sensitive information or cause a denial of service (DoS) condition.\n\nThis update addresses multiple vulnerabilities that are due to insufficient bounds checking by the affected software along with insufficient validation of user-supplied input processed by certain functions implemented in the affected software. An attacker could exploit these vulnerabilities by submitting crafted input to a targeted system, causing the system to become unresponsive or crash and resulting in a DoS condition.\n\nIn addition, an attacker in a man-in-the-middle position between a targeted system and a system that is communicating with the targeted system could conduct a SWEET32 attack, identified as CVE-2016-2183, to access sensitive information.\n\nOn September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as \u201cCritical Severity,\u201d one as \u201cModerate Severity,\u201d and the other 12 as \u201cLow Severity.\u201d\n\nSubsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as \u201cHigh Severity\u201d and the other as \u201cModerate Severity.\u201d\n\nOf the 16 released vulnerabilities:\n\nFourteen track issues that could result in a denial of service (DoS) condition\nOne (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality\nOne (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system\nFive of the 16 vulnerabilities exclusively affect the recently released OpenSSL versions that are part of the 1.1.0 release series, which has not yet been integrated into any Cisco product.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl [\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl\"]", "reporter": "Cisco", "published": "2016-09-27T22:40:00", "type": "cisco", "title": "Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016 ", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco Application and Content Networking System (ACNS) Software", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Access Registrar", "version": "any", "operator": "eq"}, {"name": "Cisco Emergency Responder", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Contact Center", "version": "any", "operator": "eq"}, {"name": "Cisco IOS XR Software", "version": "any", "operator": "eq"}, {"name": "Cisco ONS 15454 System Software", "version": "any", "operator": "eq"}, {"name": "Cisco Unity Express", "version": "any", "operator": "eq"}, {"name": "Cisco NAC Appliance Software", "version": "any", "operator": "eq"}, {"name": "Intrusion Prevention System (IPS)", "version": "any", "operator": "eq"}, {"name": "Cisco Adaptive Security Appliance (ASA) Software", "version": "any", "operator": "eq"}, {"name": "Cisco ACE Application Control Engine Module", "version": "any", "operator": "eq"}, {"name": "Cisco Wide Area Application Services (WAAS)", "version": "any", "operator": "eq"}, {"name": "Cisco Wireless LAN Controller (WLC)", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Contact Center Enterprise", "version": "any", "operator": "eq"}, {"name": "Cisco Unified MeetingPlace", "version": "any", "operator": "eq"}, {"name": "Cisco IP Interoperability and Collaboration System (IPICS)", "version": "any", "operator": "eq"}, {"name": "Cisco Unity Connection", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence", "version": "any", "operator": "eq"}, {"name": "Cisco Security Manager", "version": "any", "operator": "eq"}, {"name": "Cisco ACE 4700 Series Application Control Engine Appliances", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Contact Center Express", "version": "any", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance Media Server Software", "version": "any", "operator": "eq"}, {"name": "Cisco Digital Media Player Software", "version": "any", "operator": "eq"}, {"name": "Cisco Digital Media Manager Software", "version": "any", "operator": "eq"}, {"name": "Cisco Network Analysis Module (NAM) Software", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Event Center", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Meeting Center", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Support Center", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Training Center", "version": "any", "operator": "eq"}, {"name": "Cisco Network Admission Control Guest Server", "version": "any", "operator": "eq"}, {"name": "Cisco AnyConnect Secure Mobility Client", "version": "any", "operator": "eq"}, {"name": "Cisco Show and Share", "version": "any", "operator": "eq"}, {"name": "Cisco Mobility Services Engine", "version": "any", "operator": "eq"}, {"name": "Cisco Identity Services Engine Software", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Video Communication Server (VCS)", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Data Center Network Manager (DCNM)", "version": "any", "operator": "eq"}, {"name": "Cisco Small Business 300 Series Managed Switches", "version": "any", "operator": "eq"}, {"name": "Cisco Small Business 500 Series Stackable Managed Switches", "version": "any", "operator": "eq"}, {"name": "Cisco ATA 187 Analog Telephone Adaptor", "version": "any", "operator": "eq"}, {"name": "Cisco Prime LAN Management Solution (LMS)", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Communications Domain Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Email Security Appliance (ESA)", "version": "any", "operator": "eq"}, {"name": "Cisco Content Security Management Appliance (SMA)", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Infrastructure", "version": "any", "operator": "eq"}, {"name": "Cisco Connected Grid Network Management System (CG-NMS)", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber IM for Android", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Meetings Server", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Node for MCS", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Computing System Central Software", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber for Windows", "version": "any", "operator": "eq"}, {"name": "Cisco Enterprise Content Delivery System (ECDS)", "version": "any", "operator": "eq"}, {"name": "Cisco ASR 5000 Series Software", "version": "any", "operator": "eq"}, {"name": "Cisco Unified IP Phone 8945", "version": "any", "operator": "eq"}, {"name": "Cisco SocialMiner", "version": "any", "operator": "eq"}, {"name": "Cisco MediaSense", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence TX9000", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance 4000 Series IP Camera", "version": "any", "operator": "eq"}, {"name": "Cisco Unified SIP Proxy", "version": "any", "operator": "eq"}, {"name": "Cisco MXE 3500 (Media Experience Engine)", "version": "any", "operator": "eq"}, {"name": "Cisco Nexus 1000V InterCloud for VMware", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Network Registrar", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Computing System Director", "version": "any", "operator": "eq"}, {"name": "Cisco Digital Content Manager (DCM) Software", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Intelligence Center", "version": "any", "operator": "eq"}, {"name": "Cisco Nexus 1000V Switch", "version": "any", "operator": "eq"}, {"name": "Cisco Expressway", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Optical", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber Guest", "version": "any", "operator": "eq"}, {"name": "Cisco Visual Quality Experience", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Serial Gateway Series", "version": "any", "operator": "eq"}, {"name": "Cisco Prime License Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration Deployment", "version": "any", "operator": "eq"}, {"name": "Cisco Plug-in for OpenFlow", "version": "any", "operator": "eq"}, {"name": "Cisco Prime IP Express", "version": "any", "operator": "eq"}, {"name": "Cisco onePK All-in-One Virtual Machine", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Network Services Controller", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence ISDN Link", "version": "any", "operator": "eq"}, {"name": "Cisco Telepresence Conductor", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Workforce Optimization Quality Management", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance 3000 Series IP Cameras", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance 6000 Series IP Cameras", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance 7000 Series IP Cameras", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance PTZ IP Cameras", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Meetings for Android", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Meetings for Windows Phone 8", "version": "any", "operator": "eq"}, {"name": "Cisco FireSIGHT System Software", "version": "any", "operator": "eq"}, {"name": "Cisco IP Phone 8800 Series Software", "version": "any", "operator": "eq"}, {"name": "UCS B-Series Blade Server Software", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration Assurance", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration Provisioning", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber Software Development Kit", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber for Mac", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber for iOS", "version": "any", "operator": "eq"}, {"name": "Cisco Cloupia Unified Infrastructure Controller", "version": "any", "operator": "eq"}, {"name": "Cisco Packet Tracer", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Network", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Performance Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Agent Desktop", "version": "any", "operator": "eq"}, {"name": "Cisco DX Series IP Phones", "version": "any", "operator": "eq"}, {"name": "Cisco Paging Server", "version": "any", "operator": "eq"}, {"name": "Cisco SPA112 2-Port Phone Adapter", "version": "any", "operator": "eq"}, {"name": "Cisco SPA122 ATA with Router", "version": "any", "operator": "eq"}, {"name": "Cisco SPA232D Multi-Line DECT ATA", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Attendant Console", "version": "any", "operator": "eq"}, {"name": "Cisco Videoscape Control Suite", "version": "any", "operator": "eq"}, {"name": "Cisco IP Phone 7800 Series", "version": "any", "operator": "eq"}, {"name": "Cisco Unified IP Phone 7900 Series", "version": "any", "operator": "eq"}, {"name": "Cisco Nexus 3000 Series Switch", "version": "any", "operator": "eq"}, {"name": "Cisco Policy Suite (CPS) Software", "version": "any", "operator": "eq"}, {"name": "Cisco Small Business 220 Series Smart Plus Switches", "version": "any", "operator": "eq"}, {"name": "Cisco Hosted Collaboration Mediation Fulfillment", "version": "any", "operator": "eq"}, {"name": "Cisco Registered Envelope Service", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2016-2177", "CVE-2016-2178", "CVE-2016-2179", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-2182", "CVE-2016-2183", "CVE-2016-6302", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6305", "CVE-2016-6306", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-6309", "CVE-2016-7052"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2017-09-15T23:17:49", "id": "CISCO-SA-20160927-OPENSSL", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "huawei": [{"lastseen": "2017-03-22T13:17:16", "references": [], "edition": 1, "description": "Statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session. (Vulnerability ID: HWPSIRT-2016-09065)\nThis vulnerability has been assigned a CVE ID: CVE-2016-6309\n\nCrypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service by triggering a CRL operation. (Vulnerability ID: HWPSIRT-2016-09078)\nThis vulnerability has been assigned a CVE ID: CVE-2016-7052\n\nMultiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service via large OCSP Status Request extensions. (Vulnerability ID: HWPSIRT-2016-09079)\nThis vulnerability has been assigned a CVE ID: CVE-2016-6304\n\nThe ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service by triggering a zero-length record in an SSL_peek call. (Vulnerability ID: HWPSIRT-2016-09080)\nThis vulnerability has been assigned a CVE ID: CVE-2016-6305\n\nThe DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a \"Sweet32\" attack. (Vulnerability ID: HWPSIRT-2016-09081)\nThis vulnerability has been assigned a CVE ID: CVE-2016-2183\n\nInteger overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service. (Vulnerability ID: HWPSIRT-2016-09082)\nThis vulnerability has been assigned a CVE ID: CVE-2016-6303\n\nThe tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. (Vulnerability ID: HWPSIRT-2016-09083)\nThis vulnerability has been assigned a CVE ID: CVE-2016-6302\n\nThe BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service. (Vulnerability ID: HWPSIRT-2016-09084)\nThis vulnerability has been assigned a CVE ID: CVE-2016-2182\n\nThe TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service via a crafted time-stamp file that is mishandled by the \"openssl ts\" command. (Vulnerability ID: HWPSIRT-2016-09085)\nThis vulnerability has been assigned a CVE ID: CVE-2016-2180\n\nOpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service. (Vulnerability ID: HWPSIRT-2016-09086)\nThis vulnerability has been assigned a CVE ID: CVE-2016-2177\n\nThe dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. (Vulnerability ID: HWPSIRT-2016-09087)\nThis vulnerability has been assigned a CVE ID: CVE-2016-2178\n\nThe DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service by maintaining many crafted DTLS sessions simultaneously. (Vulnerability ID: HWPSIRT-2016-09088)\nThis vulnerability has been assigned a CVE ID: CVE-2016-2179\n\nThe Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 exist a vulnerability, which allows remote attackers to cause a denial of service. (Vulnerability ID: HWPSIRT-2016-09089)\nThis vulnerability has been assigned a CVE ID: CVE-2016-2181\n\nThe certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service via crafted certificate operations. (Vulnerability ID: HWPSIRT-2016-09090)\nThis vulnerability has been assigned a CVE ID: CVE-2016-6306\n\nThe state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service via crafted TLS messages. (Vulnerability ID: HWPSIRT-2016-09091)\nThis vulnerability has been assigned a CVE ID: CVE-2016-6307\n\nStatem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service via crafted DTLS messages. (Vulnerability ID: HWPSIRT-2016-09092)\nThis vulnerability has been assigned a CVE ID: CVE-2016-6308\n\nHuawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:\nhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170322-01-openssl-en", "reporter": "Huawei Technologies", "published": "2017-03-22T00:00:00", "title": "Security Advisory - Sixteen OpenSSL Vulnerabilities on Some Huawei products", "type": "huawei", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "affectedSoftware": [{"name": "AP6610DN-AGN", "version": "V200R005C10", "operator": "eq"}, {"name": "TE60", "version": "V500R002C00", "operator": "eq"}, {"name": "AP7110DN-AGN", "version": "V200R005C10", "operator": "eq"}, {"name": "iBMC", "version": "V200R002C20", "operator": "eq"}, {"name": "AP7030DE", "version": "V200R005C10", "operator": "eq"}, {"name": "iBMC", "version": "V100R002C30", "operator": "eq"}, {"name": "AP8130DN", "version": "V200R005C10", "operator": "eq"}, {"name": "iBMC", "version": "V100R002C10", "operator": "eq"}, {"name": "AP7030DE", "version": "V200R005C20", "operator": "eq"}, {"name": "AP6510DN-AGN", "version": "V200R005C10", "operator": "eq"}, {"name": "AP7110SN-GN", "version": "V200R005C10", "operator": "eq"}, {"name": "AR3200", "version": "V200R008C20", "operator": "eq"}, {"name": "AC6605", "version": "V200R005C00", "operator": "eq"}, {"name": "RSE6500", "version": "V500R002C00", "operator": "eq"}, {"name": "FusionManager", "version": "V100R005C00", "operator": "eq"}, {"name": "OceanStor 9000", "version": "V300R005C00", "operator": "eq"}, {"name": "OceanStor 9000E", "version": "V100R001C01", "operator": "eq"}, {"name": "OceanStor 9000", "version": "V100R001C01", "operator": "eq"}, {"name": "eLog", "version": "V200R005C00", "operator": "eq"}, {"name": "E6000", "version": "V100R002C03", "operator": "eq"}, {"name": "TE60", "version": "V100R001C10", "operator": "eq"}, {"name": "AP5010SN-GN", "version": "V200R005C10", "operator": "eq"}, {"name": "AP6010SN-GN", "version": "V200R005C10", "operator": "eq"}, {"name": "AP5130DN", "version": "V200R005C10", "operator": "eq"}, {"name": "AR3200", "version": "V200R008C10", "operator": "eq"}, {"name": "AP8030DN", "version": "V200R005C10", "operator": "eq"}, {"name": "DP300", "version": "V500R002C00", "operator": "eq"}, {"name": "AC6605", "version": "V200R005C10", "operator": "eq"}, {"name": "OceanStor 9000", "version": "V100R001C30", "operator": "eq"}, {"name": "AP9330DN", "version": "V200R005C20", "operator": "eq"}, {"name": "AP6310SN-GN", "version": "V200R005C10", "operator": "eq"}, {"name": "RH5885 V3", "version": "V100R003C10", "operator": "eq"}, {"name": "AC6005", "version": "V200R005C10", "operator": "eq"}, {"name": "SeMG9811", "version": "V300R001C01", "operator": "eq"}, {"name": "RH5885 V3", "version": "V100R003C01", "operator": "eq"}, {"name": "OceanStor 9000E", "version": "V100R002C00", "operator": "eq"}, {"name": "eSpace 8950", "version": "V200R003C00", "operator": "eq"}, {"name": "OceanStor 9000E", "version": "V100R002C19", "operator": "eq"}, {"name": "AP5030DN", "version": "V200R005C10", "operator": "eq"}], "bulletinFamily": "software", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-7052", "CVE-2016-6305", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179", "CVE-2016-6309"], "modified": "2017-03-22T00:00:00", "id": "HUAWEI-SA-20170322-01-OPENSSL", "href": "http://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20170322-01-openssl-en", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:10", "references": ["https://www.openssl.org/news/secadv/20160922.txt"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.1.0_1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openssl-devel", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.0.2i,1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openssl", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "10.3_8", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "FreeBSD", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.0.1e_11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "linux-c6-openssl", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "10.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "FreeBSD", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "1.1.0", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "openssl-devel", "operator": "eq"}], "description": "\nOpenSSL reports:\n\nHigh: OCSP Status Request extension unbounded memory growth\nSSL_peek() hang on empty record\nSWEET32 Mitigation\nOOB write in MDC2_Update()\nMalformed SHA512 ticket DoS\nOOB write in BN_bn2dec()\nOOB read in TS_OBJ_print_bio()\nPointer arithmetic undefined behaviour\nConstant time flag not preserved in DSA signing\nDTLS buffered message DoS\nDTLS replay protection DoS\nCertificate message OOB reads\nExcessive allocation of memory in tls_get_message_header()\nExcessive allocation of memory in dtls1_preprocess_fragment()\nNB: LibreSSL is only affected by CVE-2016-6304\n\n", "edition": 6, "reporter": "FreeBSD", "published": "2016-09-22T00:00:00", "title": "OpenSSL -- multiple vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-6306", "CVE-2016-2183", "CVE-2016-2178", "CVE-2016-6302", "CVE-2016-2177", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-6304", "CVE-2016-6305", "CVE-2016-6303", "CVE-2016-2182", "CVE-2016-2179"], "modified": "2016-10-11T00:00:00", "id": "43EAA656-80BC-11E6-BF52-B499BAEBFEAF", "href": "https://vuxml.freebsd.org/freebsd/43eaa656-80bc-11e6-bf52-b499baebfeaf.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2018-08-31T04:13:57", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 253 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "edition": 3, "reporter": "Oracle", "published": "2016-10-18T00:00:00", "title": "Oracle Critical Patch Update - October 2016", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Communications Policy Management", "version": "9.9.1", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Financial Services Lending and Leasing", "version": "14.1.0", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.5", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.2", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.3.0", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.1", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.4", "operator": "le"}, {"name": "RDBMS Security", "version": "11.2.0.4", "operator": "le"}, {"name": "Primavera P6 Professional Project Management", "version": "16.x", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.0", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.2.3", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u111", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.3", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Apps - E-Billing", "version": "7.1", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.4", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.31", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "14.1", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.0", "operator": "le"}, {"name": "MySQL Connector", "version": "2.1.3", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.5.0.1", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.2.4", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "11.5.0.0.0", "operator": "le"}, {"name": "Java SE", "version": "7u111", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.2", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.0", "operator": "le"}, {"name": "Primavera P6 Professional Project Management", "version": "8.4", "operator": "le"}, {"name": "Virtual Desktop Infrastructure", "version": "3.5.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "le"}, {"name": "Oracle Financial Services Lending and Leasing", "version": "14.2.0", "operator": "le"}, {"name": "Oracle Secure Backup", "version": "10.4.0.4.0", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.14", "operator": "le"}, {"name": "Oracle Platform Security for Java", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle Platform Security for Java", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Apps - Customer Order Management", "version": "16.1", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.4.1.2", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.4.1.2", "operator": "le"}, {"name": "Primavera P6 Professional Project Management", "version": "8.3", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.1.2", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.1.1.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Secure Global Desktop", "version": "5.2", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.52", "operator": "le"}, {"name": "Oracle Advanced Supply Chain Planning", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.3", "operator": "le"}, {"name": "Oracle Secure Backup", "version": "12.1.0.2.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.30", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.32", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Application Express", "version": "5.0.4.00.07", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u121", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.1", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.4", "operator": "le"}, {"name": "Oracle iPlanet Web Proxy Server", "version": "4.0", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.5.2", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.3", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "16.x", "operator": "le"}, {"name": "Oracle Retail Xstore Payment", "version": "1.x", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.51", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.1", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.4.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.33", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.0", "operator": "le"}, {"name": "RDBMS Programmable Interface", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.6", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "9.7.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.2", "operator": "le"}, {"name": "RDBMS Programmable Interface", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.5.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.2.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.1.1", "operator": "le"}, {"name": "Secure Global Desktop", "version": "4.7", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.3", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "3.1.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.3", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.4", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.1", "operator": "le"}, {"name": "Oracle Commerce Service Center", "version": "10.0.3.5", "operator": "le"}, {"name": "Oracle Advanced Supply Chain Planning", "version": "12.2.5", "operator": "le"}, {"name": "RDBMS Security and SQL*Plus", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Web Services", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.6", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.2.4", "operator": "le"}, {"name": "RDBMS Security and SQL*Plus", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Enterprise Limits and Collateral Management", "version": "12.0.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.1", "operator": "le"}, {"name": "Oracle Web Services", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Java SE", "version": "6u121", "operator": "le"}, {"name": "Siebel UI Framework", "version": "16.1", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.2.3", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.4", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "14.0", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.5.0.3", "operator": "le"}, {"name": "Enterprise Manager", "version": "12.2.2", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.1.2", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.0.28", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "2.2.0", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Enterprise Communications Broker", "version": "2.0.0m4p5", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.5.2", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Enterprise Manager", "version": "12.3.2", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.13", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.5.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.3", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "2.0.1", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.0.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "2.0.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.4.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.0.1", "operator": "le"}, {"name": "MICROS XBR", "version": "7.0.4", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iRecruitment", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.5.0.0", "operator": "le"}, {"name": "Oracle Big Data Discovery", "version": "1.2.0", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "6.2.2", "operator": "le"}, {"name": "Kernel PDB", "version": "12.1.0.2", "operator": "le"}, {"name": "Java SE", "version": "8u102", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.5.1.0", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.5.0.2", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "12.1.2.0.0", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "11.1.1.7.0", "operator": "le"}, {"name": "OJVM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.87.1", "operator": "le"}, {"name": "Oracle Platform Security for Java", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.0", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.0.3.5", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "11.1.1.9.0", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Services Procurement", "version": "9.2", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.2", "operator": "le"}, {"name": "NetBeans", "version": "8.1", "operator": "le"}, {"name": "Primavera P6 Professional Project Management", "version": "15.x", "operator": "le"}, {"name": "Oracle Advanced Supply Chain Planning", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "10.2.0.5", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "14.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.3.0", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.5", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Enterprise Limits and Collateral Management", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "11.2.0.1", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.2.6", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Shipping Execution", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Discoverer", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.1.3", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.6", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Services Procurement", "version": "9.1", "operator": "le"}, {"name": "RDBMS Security", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.87.2", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.1", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.0.4", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.2.2", "operator": "le"}, {"name": "BI Publisher (formerly XML Publisher)", "version": "12.2.1.0.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Web Services", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Big Data Discovery", "version": "1.1.1", "operator": "le"}, {"name": "Sun Ray Operating Software", "version": "11.1.7", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.5.0", "operator": "le"}, {"name": "Sun ZFS Storage Appliance Kit (AK)", "version": "2013", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.5", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.1", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "15.x", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.1.0", "operator": "le"}, {"name": "Oracle Commerce Service Center", "version": "10.2.0.5", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Enterprise Session Border Controller", "version": "7.3m1p4", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.12", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.1.6", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.4", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.1", "operator": "le"}, {"name": "MySQL Connector", "version": "2.0.4", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.2.0", "operator": "le"}, {"name": "Oracle Web Services", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.2", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.4", "operator": "le"}, {"name": "Oracle Banking Digital Experience", "version": "15.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.50", "operator": "le"}, {"name": "Oracle iProcurement", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Retail Customer Insights", "version": "15.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.1", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.15", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "10.4.1", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Oracle Insurance IStream", "version": "4.3.2", "operator": "le"}, {"name": "Oracle Life Sciences Data Hub", "version": "2.x", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.1", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Oracle Advanced Pricing", "version": "12.2.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "Oracle Big Data Discovery", "version": "1.1.3", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "5.0", "operator": "le"}, {"name": "MICROS XBR", "version": "7.0.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "11.6.0.0.0", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.3", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.8", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.5.1", "operator": "le"}, {"name": "Big Data Graph", "version": "1.2", "operator": "le"}, {"name": "Oracle Retail Merchandising Insights", "version": "15.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.1", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Commerce Guided Search", "version": "6.3.0", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.1", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "13.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u102", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "5.5", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.6", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Solaris", "version": "11.3", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "Oracle Commerce Guided Search / Oracle Commerce Experience Manager", "version": "11.1", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.1.2", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.2", "operator": "le"}, {"name": "Oracle Data Integrator", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Enterprise Manager", "version": "12.1.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2016-5606", "CVE-2016-5540", "CVE-2016-5630", "CVE-2016-5594", "CVE-2016-5575", "CVE-2016-5609", "CVE-2015-5351", "CVE-2016-8294", "CVE-2016-5565", "CVE-2016-5591", "CVE-2015-1792", "CVE-2016-5498", "CVE-2016-5624", "CVE-2016-5555", "CVE-2014-9296", "CVE-2015-0235", "CVE-2015-1793", "CVE-2016-1546", "CVE-2016-5560", "CVE-2016-5611", "CVE-2014-7809", "CVE-2016-3492", "CVE-2016-5612", "CVE-2015-3197", "CVE-2016-5602", "CVE-2016-5487", "CVE-2016-5505", "CVE-2016-5608", "CVE-2016-5625", "CVE-2016-6306", "CVE-2016-5619", "CVE-2016-5568", "CVE-2016-6663", "CVE-2015-1789", "CVE-2016-5527", "CVE-2016-2183", "CVE-2014-0227", "CVE-2016-5481", "CVE-2016-5518", "CVE-2016-8281", "CVE-2016-5631", "CVE-2015-0286", "CVE-2016-2178", "CVE-2016-8288", "CVE-2016-5635", "CVE-2016-5497", "CVE-2015-2568", "CVE-2016-5486", "CVE-2016-5628", "CVE-2015-3195", "CVE-2016-4979", "CVE-2016-5617", "CVE-2016-5621", "CVE-2016-3473", "CVE-2016-5521", "CVE-2016-5543", "CVE-2016-5585", "CVE-2016-5488", "CVE-2016-0714", "CVE-2014-3571", "CVE-2016-8292", "CVE-2016-5588", "CVE-2016-5559", "CVE-2016-5599", "CVE-2016-5539", "CVE-2016-5514", "CVE-2016-5479", "CVE-2016-6302", "CVE-2016-5504", "CVE-2016-6664", "CVE-2016-3551", "CVE-2016-5499", "CVE-2016-2177", "CVE-2016-5604", "CVE-2016-5574", "CVE-2014-9294", "CVE-2010-5312", "CVE-2014-0224", "CVE-2016-5616", "CVE-2016-8296", "CVE-2016-0635", "CVE-2016-2105", "CVE-2016-5557", "CVE-2016-5569", "CVE-2016-2107", "CVE-2016-5553", "CVE-2015-7501", "CVE-2016-5610", "CVE-2016-5577", "CVE-2015-3253", "CVE-2014-9295", "CVE-2016-6307", "CVE-2016-3562", "CVE-2016-1182", "CVE-2016-5566", "CVE-2016-5576", "CVE-2016-5582", "CVE-2016-0763", "CVE-2016-5493", "CVE-2016-5615", "CVE-2016-8285", "CVE-2016-6308", "CVE-2016-5633", "CVE-2016-2180", "CVE-2016-5534", "CVE-2016-5542", "CVE-2016-5513", "CVE-2016-5571", "CVE-2016-5567", "CVE-2016-5597", "CVE-2016-5525", "CVE-2016-8295", "CVE-2014-0099", "CVE-2016-5627", "CVE-2014-2532", "CVE-2016-5500", "CVE-2016-8287", "CVE-2016-2109", "CVE-2016-3505", "CVE-2016-2181", "CVE-2014-0119", "CVE-2016-6304", "CVE-2016-5482", "CVE-2016-5522", "CVE-2014-0114", "CVE-2016-5529", "CVE-2013-4322", "CVE-2016-5515", "CVE-2016-6662", "CVE-2014-0050", "CVE-2016-5595", "CVE-2013-2067", "CVE-2015-0500", "CVE-2016-5596", "CVE-2013-4286", "CVE-2016-1881", "CVE-2015-0382", "CVE-2099-1234", "CVE-2016-5587", "CVE-2016-5480", "CVE-2016-5600", "CVE-2016-5491", "CVE-2016-5586", "CVE-2016-5519", "CVE-2016-5605", "CVE-2015-1788", "CVE-2016-5632", "CVE-2016-5511", "CVE-2016-5578", "CVE-2016-5562", "CVE-2016-5489", "CVE-2016-7052", "CVE-2016-5490", "CVE-2016-5533", "CVE-2013-4590", "CVE-2016-5626", "CVE-2016-5583", "CVE-2016-5556", "CVE-2016-1950", "CVE-2016-5607", "CVE-2016-8291", "CVE-2016-0706", "CVE-2016-5492", "CVE-2012-1007", "CVE-2016-5570", "CVE-2016-5516", "CVE-2016-8283", "CVE-2016-5507", "CVE-2016-5537", "CVE-2016-5584", "CVE-2016-5598", "CVE-2015-0409", "CVE-2016-1181", "CVE-2013-2566", "CVE-2015-0423", "CVE-2014-0096", "CVE-2016-5508", "CVE-2016-2176", "CVE-2016-5524", "CVE-2015-1790", "CVE-2016-5510", "CVE-2014-0075", "CVE-2013-4444", "CVE-2016-6305", "CVE-2016-5530", "CVE-2016-5580", "CVE-2016-6303", "CVE-2016-5538", "CVE-2015-1351", "CVE-2016-5523", "CVE-2016-5613", "CVE-2016-5618", "CVE-2016-5601", "CVE-2016-2182", "CVE-2016-5554", "CVE-2016-5535", "CVE-2015-0433", "CVE-2016-8293", "CVE-2016-5589", "CVE-2016-5581", "CVE-2016-5531", "CVE-2016-5620", "CVE-2016-5495", "CVE-2016-5573", "CVE-2016-5564", "CVE-2016-5592", "CVE-2016-5532", "CVE-2015-7940", "CVE-2016-5526", "CVE-2016-5603", "CVE-2016-5517", "CVE-2016-5501", "CVE-2016-5502", "CVE-2016-5634", "CVE-2016-5512", "CVE-2016-5579", "CVE-2016-5561", "CVE-2016-8284", "CVE-2016-5593", "CVE-2016-8290", "CVE-2016-3081", "CVE-2016-2179", "CVE-2016-5503", "CVE-2016-2106", "CVE-2016-7440", "CVE-2016-5558", "CVE-2015-4852", "CVE-2014-9293", "CVE-2016-5536", "CVE-2015-1791", "CVE-2016-5563", "CVE-2016-8289", "CVE-2016-8286", "CVE-2016-6309", "CVE-2016-5572", "CVE-2016-5622", "CVE-2016-5629", "CVE-2016-5506", "CVE-2016-3495", "CVE-2016-5544", "CVE-2015-0411", "CVE-2015-0381"], "modified": "2016-11-21T00:00:00", "id": "ORACLE:CPUOCT2016-2881722", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:49", "references": [], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n \n\n * [Critical Patch Updates, Security Alerts and Bulletins](<http://www.oracle.com/securityalerts>) for information about Oracle Security Advisories.\n\n \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 255 new security fixes across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2383583.1>).\n\nThe January 2018 Critical Patch Update provided patches in response to the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) processor vulnerabilities. Please refer to this Advisory and the Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown MOS note ([Doc ID 2347948.1](<https://support.oracle.com/rs?type=doc&id=2347948.1>)) for information on how to obtain these patches.\n", "edition": 5, "reporter": "Oracle", "published": "2018-04-17T00:00:00", "title": "Oracle Critical Patch Update - April 2018", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "17.1", "operator": "le"}, {"name": "Oracle Communications Contacts Server", "version": "8.x", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.3.7.3306", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Access Manager", "version": "10.1.4.3.0", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.x", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "13.2", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "16.0", "operator": "le"}, {"name": "Oracle Retail Insights", "version": "14.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.3.0", "operator": "le"}, {"name": "Oracle Banking Corporate Lending", "version": "14.0.0", "operator": "le"}, {"name": "Oracle Human Resources", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "9.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u181", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.0", "operator": "le"}, {"name": "Oracle WebLogic Portal", "version": "10.3.6.0.0", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.2.0", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "15.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "10", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.39", "operator": "le"}, {"name": "Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach", "version": "8.0.x", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "17.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u152", "operator": "le"}, {"name": "Oracle Security Service", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Sun ZFS Storage Appliance Kit (AK)", "version": "8.7.17", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.4.9", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.9", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "7.6.1.0.0", "operator": "le"}, {"name": "Oracle Banking Platform", "version": "2.6", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.0.7", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Banking Enterprise Product Manufacturing", "version": "2.6", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4.9", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "13.1.0.1", "operator": "le"}, {"name": "Oracle Retail Insights", "version": "16.0", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u171", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "15.0.2", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.3.3", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "13.0", "operator": "le"}, {"name": "Oracle Retail Order Management System", "version": "4.7", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.1.3", "operator": "le"}, {"name": "Oracle Financial Services Market Risk Measurement and Management", "version": "8.0.5", "operator": "le"}, {"name": "Oracle Retail Insights", "version": "14.1", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u181", "operator": "le"}, {"name": "Oracle Endeca Server", "version": "7.7", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.2.10", "operator": "le"}, {"name": "Oracle Fusion Middleware MapViewer", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "15.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.36", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u162", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.8", "operator": "le"}, {"name": "Oracle Banking Enterprise Collections", "version": "2.6", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Shared Components", "version": "9.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Retail Integration Bus", "version": "13.2", "operator": "le"}, {"name": "Oracle Banking Corporate Lending", "version": "12.5.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.2.9", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "13.1", "operator": "le"}, {"name": "Oracle Retail Advanced Inventory Planning", "version": "15.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.0.1.0", "operator": "le"}, {"name": "Oracle Retail EFTLink", "version": "16.0.2", "operator": "le"}, {"name": "Primavera Unifier", "version": "16.x", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "5.1", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "13.2.0.1", "operator": "le"}, {"name": "Oracle Agile PLM Framework", "version": "9.3.6", "operator": "le"}, {"name": "Management Pack for Oracle GoldenGate", "version": "11.2.1.0.13", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.3.0", "operator": "le"}, {"name": "Oracle Retail Order Management System", "version": "4.5", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.1.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "10", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "4.x", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.5", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.2.0", "operator": "le"}, {"name": "MySQL Cluster", "version": "7.3.16", "operator": "le"}, {"name": "Oracle Communications EAGLE LNP Application Processor", "version": "10.1.0.0.0", "operator": "le"}, {"name": "Oracle Retail Advanced Inventory Planning", "version": "14.1", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.0.2.0", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Enterprise Repository", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Retail Order Management System", "version": "4.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "5.3", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.4.0", "operator": "le"}, {"name": "Oracle Business Intelligence Data Warehouse Administration Console", "version": "11.1.1.6.4", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "12.1.1.0.0", "operator": "le"}, {"name": "Java SE", "version": "8u162", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Oracle Human Resources", "version": "12.1.2", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "13.2.0.0", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.2.2", "operator": "le"}, {"name": "Oracle Human Resources", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.5.0.x", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.4.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.2.0", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Mobile Security Suite", "version": "3.0.1", "operator": "le"}, {"name": "Java SE, JRockit", "version": "8u162", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.3", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u181", "operator": "le"}, {"name": "Oracle Banking Platform", "version": "2.5", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "16.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.3", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "12.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "13.4.9", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.1.3", "operator": "le"}, {"name": "Oracle GoldenGate", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Hospitality Simphony First Edition", "version": "1.6", "operator": "le"}, {"name": "Oracle Retail Insights", "version": "15.0", "operator": "le"}, {"name": "Java SE", "version": "10", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "14.0.0", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "13.2", "operator": "le"}, {"name": "Oracle Enterprise Repository", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Banking Corporate Lending", "version": "12.4.0", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Human Resources", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Application Testing Suite", "version": "12.5.0.3", "operator": "le"}, {"name": "Oracle Human Resources", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail EFTLink", "version": "1.1.124", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "13.1", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.0.4", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "15.0.1", "operator": "le"}, {"name": "Oracle Communications Unified Inventory Management", "version": "7.x", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.1", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "2.2.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "11.5.0", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "2.4.9", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "14.1", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.0.4", "operator": "le"}, {"name": "MySQL Cluster", "version": "7.4.14", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "14.0.4", "operator": "le"}, {"name": "Oracle Retail Predictive Application Server", "version": "14.0.3", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.10", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "16.2", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0", "operator": "le"}, {"name": "MICROS Lucas", "version": "2.9.5", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "14.1.3", "operator": "le"}, {"name": "Oracle Human Resources", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.2.0.0", "operator": "le"}, {"name": "Oracle Retail Order Management System", "version": "5.0", "operator": "le"}, {"name": "Oracle Retail Advanced Inventory Planning", "version": "13.2", "operator": "le"}, {"name": "Java SE, JRockit", "version": "28.3.17", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.1.0.7", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "14.1", "operator": "le"}, {"name": "Oracle GoldenGate Veridata", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "4.4.1.5.0", "operator": "le"}, {"name": "Oracle Retail EFTLink", "version": "15.0.1", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "15.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1.3", "operator": "le"}, {"name": "Hardware Management Pack", "version": "2.4.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Utilities Framework", "version": "4.3.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.3", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "5.0", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "16.0.2", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Studio", "version": "7.7.0.0.0", "operator": "le"}, {"name": "Oracle Communications Network Intelligence", "version": "7.3.x", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.59", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.3", "operator": "le"}, {"name": "Enterprise Manager for Virtualization", "version": "13.2", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.1.0.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.2", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "5.2", "operator": "le"}, {"name": "MICROS Handheld Terminal", "version": "2.03.0.0.021R", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u162", "operator": "le"}, {"name": "Enterprise Manager for MySQL Database", "version": "12.1.0.4", "operator": "le"}, {"name": "Primavera Unifier", "version": "17.x", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.5.11", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.3.0", "operator": "le"}, {"name": "Oracle Retail Central Office", "version": "14.1.3", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.1.9", "operator": "le"}, {"name": "Instantis EnterpriseTrack", "version": "17.1", "operator": "le"}, {"name": "Java VM", "version": "18.1.0.0", "operator": "le"}, {"name": "Oracle GoldenGate Veridata", "version": "11.2.0.1.2", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "12.0", "operator": "le"}, {"name": "Oracle Fusion Middleware MapViewer", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.4.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "14.0", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "16.0", "operator": "le"}, {"name": "Oracle Retail Returns Management", "version": "2.3.8", "operator": "le"}, {"name": "Oracle Communications Calendar Server", "version": "8.x", "operator": "le"}, {"name": "Oracle Retail Customer Engagement", "version": "16.0", "operator": "le"}, {"name": "Oracle Data Visualization Desktop", "version": "12.2.4.1.1", "operator": "le"}, {"name": "Oracle Hospitality Suite8", "version": "8.x", "operator": "le"}, {"name": "Oracle FLEXCUBE Enterprise Limits and Collateral Management", "version": "14.0.0", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.6", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.21", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.4.5.4248", "operator": "le"}, {"name": "OSS Support Tools", "version": "18.2", "operator": "le"}, {"name": "Oracle Banking Payments", "version": "12.3.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Communications MetaSolv Solution", "version": "6.3.0", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.3.8", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.2.1.0", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.2", "operator": "le"}, {"name": "Oracle Big Data Discovery", "version": "1.6.0", "operator": "le"}, {"name": "Oracle Financial Services Hedge Management and IFRS Valuations", "version": "8.0.4", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.5", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "11.6.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Enterprise Limits and Collateral Management", "version": "12.3.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u171", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Agile Product Lifecycle Management for Process", "version": "6.1.1.6", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.2.0.0", "operator": "le"}, {"name": "Oracle Retail Advanced Inventory Planning", "version": "13.4", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "MySQL Cluster", "version": "7.5.5", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.1.6", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "16.0.1", "operator": "le"}, {"name": "Oracle Adaptive Access Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Banking Payments", "version": "14.0.0", "operator": "le"}, {"name": "Oracle Hospitality Cruise Fleet Management System", "version": "9.x", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "13.0", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.x", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Banking Payments", "version": "12.4.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u171", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.2.4.3.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony First Edition", "version": "1.7", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "4.0.2.5168", "operator": "le"}, {"name": "Oracle Banking Enterprise Originations", "version": "2.6", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.0.11", "operator": "le"}, {"name": "Oracle Retail Predictive Application Server", "version": "13.4.3", "operator": "le"}, {"name": "MySQL Cluster", "version": "7.2.27", "operator": "le"}, {"name": "Oracle Human Resources", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Banking Corporate Lending", "version": "12.3.0", "operator": "le"}, {"name": "Java SE, JRockit", "version": "10", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Merchandising System", "version": "15.0", "operator": "le"}, {"name": "Java VM", "version": "12.2.0.1", "operator": "le"}, {"name": "Siebel UI Framework", "version": "17.0", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "12.1.0.5", "operator": "le"}, {"name": "Oracle Financial Services Basel Regulatory Capital Basic", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Financial Services Hedge Management and IFRS Valuations", "version": "8.0.5", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PRTL Interaction Hub", "version": "9.1", "operator": "le"}, {"name": "Oracle Banking Platform", "version": "2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.3", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.0.6", "operator": "le"}, {"name": "Oracle Retail Predictive Application Server", "version": "14.1.3", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "8.x", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.3", "operator": "le"}, {"name": "Oracle Retail Invoice Matching", "version": "14.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u161", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.0.1.x", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "11.7.0", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.0.4", "operator": "le"}, {"name": "Oracle Banking Payments", "version": "12.5.0", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "12.0.12", "operator": "le"}, {"name": "Oracle Human Resources", "version": "12.1.3", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Solaris", "version": "11.3", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.1", "operator": "le"}, {"name": "Real-Time Decisions (RTD) Solutions", "version": "3.2.0.0.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0.4", "operator": "le"}, {"name": "Instantis EnterpriseTrack", "version": "17.2", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.2", "operator": "le"}], "cvelist": ["CVE-2018-2768", "CVE-2018-2802", "CVE-2018-2775", "CVE-2018-2815", "CVE-2018-2748", "CVE-2018-2836", "CVE-2017-9798", "CVE-2018-2878", "CVE-2018-2826", "CVE-2018-2827", "CVE-2017-5753", "CVE-2017-5754", "CVE-2018-2817", "CVE-2018-2800", "CVE-2018-2868", "CVE-2018-2832", "CVE-2018-2789", "CVE-2018-2852", "CVE-2018-2808", "CVE-2018-2749", "CVE-2018-2747", "CVE-2018-2563", "CVE-2018-2860", "CVE-2018-2769", "CVE-2017-13080", "CVE-2016-5019", "CVE-2018-2776", "CVE-2018-7489", "CVE-2016-6306", "CVE-2018-2841", "CVE-2018-2759", "CVE-2016-2183", "CVE-2018-2870", "CVE-2018-2844", "CVE-2018-2822", "CVE-2018-2853", "CVE-2018-2746", "CVE-2016-2178", "CVE-2018-2755", "CVE-2018-2810", "CVE-2018-2812", "CVE-2018-2803", "CVE-2016-9878", "CVE-2017-10400", "CVE-2017-3735", "CVE-2018-2823", "CVE-2018-2842", "CVE-2018-2786", "CVE-2018-2778", "CVE-2018-2820", "CVE-2018-2765", "CVE-2018-2876", "CVE-2016-3092", "CVE-2018-2856", "CVE-2018-2872", "CVE-2018-2858", "CVE-2016-6302", "CVE-2017-13082", "CVE-2018-2819", "CVE-2018-2783", "CVE-2018-2774", "CVE-2016-8745", "CVE-2016-2177", "CVE-2018-2784", "CVE-2018-2771", "CVE-2018-2835", "CVE-2018-2848", "CVE-2018-2840", "CVE-2016-0635", "CVE-2018-2863", "CVE-2018-2867", "CVE-2018-2845", "CVE-2018-2824", "CVE-2018-2861", "CVE-2018-2777", "CVE-2018-2738", "CVE-2018-2838", "CVE-2018-2849", "CVE-2015-7501", "CVE-2018-2754", "CVE-2018-2795", "CVE-2016-6307", "CVE-2017-3737", "CVE-2013-1768", "CVE-2017-15707", "CVE-2018-2791", "CVE-2018-2807", "CVE-2018-2766", "CVE-2018-2763", "CVE-2018-2780", "CVE-2018-2879", "CVE-2018-2752", "CVE-2016-6308", "CVE-2017-13078", "CVE-2017-5662", "CVE-2018-2816", "CVE-2014-0054", "CVE-2018-2793", "CVE-2016-2180", "CVE-2018-2742", "CVE-2018-2739", "CVE-2017-7805", "CVE-2018-2798", "CVE-2018-2814", "CVE-2018-2855", "CVE-2018-2799", "CVE-2017-5715", "CVE-2018-2787", "CVE-2016-2181", "CVE-2018-2818", "CVE-2016-6304", "CVE-2018-2753", "CVE-2018-2756", "CVE-2018-2851", "CVE-2018-2796", "CVE-2018-2764", "CVE-2018-2837", "CVE-2018-2847", "CVE-2018-0739", "CVE-2017-17562", "CVE-2018-2805", "CVE-2018-2572", "CVE-2018-2801", "CVE-2018-2761", "CVE-2018-2821", "CVE-2018-2782", "CVE-2018-2831", "CVE-2018-2773", "CVE-2018-2797", "CVE-2018-2864", "CVE-2018-2828", "CVE-2018-2866", "CVE-2018-2587", "CVE-2018-2829", "CVE-2017-7525", "CVE-2018-2770", "CVE-2016-7052", "CVE-2018-2718", "CVE-2018-2781", "CVE-2018-2830", "CVE-2018-2806", "CVE-2017-5664", "CVE-2018-2779", "CVE-2018-2825", "CVE-2018-2813", "CVE-2016-5007", "CVE-2018-2854", "CVE-2018-2811", "CVE-2018-2762", "CVE-2018-2869", "CVE-2018-2790", "CVE-2017-3738", "CVE-2018-2877", "CVE-2018-2865", "CVE-2018-2760", "CVE-2018-2834", "CVE-2016-6305", "CVE-2016-6303", "CVE-2018-2772", "CVE-2018-2846", "CVE-2018-2792", "CVE-2017-5645", "CVE-2016-2182", "CVE-2018-2833", "CVE-2017-12617", "CVE-2018-2859", "CVE-2018-2843", "CVE-2018-2804", "CVE-2017-10393", "CVE-2018-2788", "CVE-2018-2628", "CVE-2018-2785", "CVE-2018-2750", "CVE-2018-2873", "CVE-2015-7940", "CVE-2017-3736", "CVE-2018-2758", "CVE-2017-13077", "CVE-2016-3506", "CVE-2018-2737", "CVE-2018-2809", "CVE-2018-2871", "CVE-2017-15095", "CVE-2016-2179", "CVE-2016-6814", "CVE-2017-7674", "CVE-2018-2857", "CVE-2018-2839", "CVE-2018-2850", "CVE-2018-2862", "CVE-2016-6309", "CVE-2018-2794", "CVE-2018-2874"], "modified": "2018-05-23T00:00:00", "id": "ORACLE:CPUAPR2018-3678067", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:51", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 252 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2017 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2310031.1>).\n\nPlease note that on September 22, 2017, Oracle released [Security Alert for CVE-2017-9805](<http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html>). Customers of affected Oracle product(s) are strongly advised to apply the fixes that were announced in this Security Alert as well as those contained in this Critical Patch update\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "edition": 3, "reporter": "Oracle", "published": "2017-10-17T00:00:00", "title": "Oracle Critical Patch Update - October 2017", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebLogic Server", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Retail Convenience and Fuel POS Software", "version": "2.1.132", "operator": "le"}, {"name": "Oracle Communications User Data Repository", "version": "10.x", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "11.1.1.9.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.7.7", "operator": "le"}, {"name": "Oracle Hospitality Hotel Mobile", "version": "1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.6", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.3.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.3", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.3.4.3247", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle SOA Suite", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.0", "operator": "le"}, {"name": "RDBMS Security", "version": "11.2.0.4", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.5.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u161", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Healthcare Master Person Index", "version": "4.x", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.2.1.2.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.6.0", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "17.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Security Service", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.7", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.5", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.9", "operator": "le"}, {"name": "Oracle Integrated Lights Out Manager (ILOM)", "version": "3.2.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise Fleet Management", "version": "9.0.2.0", "operator": "le"}, {"name": "Siebel UI Framework", "version": "16.0", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "15.0.1", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.6", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.1", "operator": "le"}, {"name": "Siebel Apps - Field Service", "version": "17.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.3", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.5.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.2.4.x.x", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Enterprise Manager Ops Center", "version": "12.3.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u161", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.11", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.8", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Communications EAGLE LNP Application Processor", "version": "10.x", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "13.2.9", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.6.0", "operator": "le"}, {"name": "Primavera Unifier", "version": "16.x", "operator": "le"}, {"name": "XML Database", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Virtual Directory", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.3", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.4", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.37", "operator": "le"}, {"name": "Oracle Communications Services Gatekeeper", "version": "6.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Hospitality Cruise AffairWhere", "version": "2.2.7.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.0.x.x", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Java SE", "version": "6u161", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "14.0", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.3", "operator": "le"}, {"name": "Siebel Core - Server Framework", "version": "16.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "5.3", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.4.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Tekelec HLR Router", "version": "4.x", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "14.0", "operator": "le"}, {"name": "Oracle Hospitality Suite8", "version": "8.10.2", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u144", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.2", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.7", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.19", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.2.0", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.7", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.4", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.2.0.1", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u151", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.1.x.x", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "4.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.36", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.1", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Retail Clearance Optimization Engine", "version": "13.4", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u151", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u151", "operator": "le"}, {"name": "Oracle API Gateway", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.7", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.2.1.2.0", "operator": "le"}, {"name": "SPARC M7, T7, S7 based Servers", "version": "9.7.6.b", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.7", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.30", "operator": "le"}, {"name": "Oracle Hospitality OPERA 5 Property Services", "version": "5.4.2.x", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.7", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Hospitality Cruise Materials Management", "version": "7.30.564.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.3", "operator": "le"}, {"name": "WLM (Apache Tomcat)", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.18", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "15.0.1", "operator": "le"}, {"name": "Oracle Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "9", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.3", "operator": "le"}, {"name": "Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers", "version": "2340", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.1", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.0.4", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.1", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "9", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.35", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Hyperion Financial Reporting", "version": "11.1.2", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.0.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.4", "operator": "le"}, {"name": "XML Database", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.2", "operator": "le"}, {"name": "Siebel CRM Desktop", "version": "16.0", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.57", "operator": "le"}, {"name": "Siebel CRM Desktop", "version": "17.0", "operator": "le"}, {"name": "Primavera Unifier", "version": "9.14", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.4", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u161", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Engineering Data Management", "version": "6.1.3.0", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.4", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.1.00", "operator": "le"}, {"name": "Oracle BI Publisher", "version": "11.1.1.7.0", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.3", "operator": "le"}, {"name": "Java Advanced Management Console", "version": "2.7", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.3", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.9.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "11.5", "operator": "le"}, {"name": "Oracle Communications Services Gatekeeper", "version": "5.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.5.11", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "14.0", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.1.0", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.2", "operator": "le"}, {"name": "Oracle Server X7-2/2L, X7-8", "version": "1.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.4.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.2.3", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.5", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Primavera Unifier", "version": "15.x", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.1.1", "operator": "le"}, {"name": "RDBMS Security", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u144", "operator": "le"}, {"name": "Oracle Interaction Center Intelligence", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Communications WebRTC Session Controller", "version": "7.0", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "8.5.1", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.6", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "9", "operator": "le"}, {"name": "SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers", "version": "1123", "operator": "le"}, {"name": "Sun ZFS Storage Appliance Kit (AK)", "version": "2013", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.5", "operator": "le"}, {"name": "Java SE", "version": "8u144", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.1", "operator": "le"}, {"name": "Primavera Unifier", "version": "9.13", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.2", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.2", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Applications Technology Stack", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Managed File Transfer", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.5.x.x", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.5", "operator": "le"}, {"name": "Spatial (Apache Groovy)", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Retail Markdown Optimization", "version": "13.4", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "RDBMS Security", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Virtual Directory", "version": "11.1.1.7.0", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.1.6", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "16.0.1", "operator": "le"}, {"name": "Oracle Communications Unified Session Manager", "version": "7.x", "operator": "le"}, {"name": "PeopleSoft Enterprise PT PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.0.1", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.3", "operator": "le"}, {"name": "Java SE", "version": "9", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Security Service", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Oracle Hyperion BI+", "version": "11.1.2.4", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Communications Diameter Signaling Router (DSR)", "version": "7.x", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "6.0.11", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.0", "operator": "le"}, {"name": "Java VM", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.2", "operator": "le"}, {"name": "Siebel UI Framework", "version": "17.0", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.2", "operator": "le"}, {"name": "Solaris Cluster", "version": "3.3", "operator": "le"}, {"name": "Primavera Unifier", "version": "10.x", "operator": "le"}, {"name": "Management Pack for Oracle GoldenGate", "version": "11.2.1.0.12", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Retail Store Inventory Management", "version": "14.1.3", "operator": "le"}, {"name": "Oracle Global Order Promising", "version": "12.2.4", "operator": "le"}, {"name": "Java SE", "version": "7u151", "operator": "le"}, {"name": "Oracle Communications Policy Management", "version": "12.x", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Mobile Field Service", "version": "12.2.4", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.2.00", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Retail Xstore Point of Service", "version": "7.0.6", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.6", "operator": "le"}, {"name": "MySQL Connectors", "version": "6.9.9", "operator": "le"}, {"name": "Java SE, JRockit", "version": "8u144", "operator": "le"}, {"name": "Oracle Communications Billing and Revenue Management", "version": "7.5", "operator": "le"}, {"name": "Oracle Communications Messaging Server", "version": "8.x", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Siebel Apps - Field Service", "version": "16.0", "operator": "le"}, {"name": "Oracle Engineering Data Management", "version": "6.2.2.0", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PRTL Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.6", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.4.2.4181", "operator": "le"}, {"name": "Oracle Business Process Management Suite", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Identity Manager Connector", "version": "9.1.1.5.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Hospitality Suite8", "version": "8.10.1", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Web Applications Desktop Integrator", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.3.0", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.3", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.2.8.2223", "operator": "le"}, {"name": "Oracle Trade Management", "version": "12.2.3", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Common Applications Calendar", "version": "12.2.6", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "3.1.2", "operator": "le"}, {"name": "Oracle Retail Back Office", "version": "13.4", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "9.0.0", "operator": "le"}, {"name": "Oracle Hospitality Cruise Shipboard Property Management System", "version": "8.0.2.0", "operator": "le"}, {"name": "Oracle Retail Point-of-Service", "version": "13.4", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}, {"name": "JD Edwards World Security", "version": "9.2", "operator": "le"}], "cvelist": ["CVE-2017-10324", "CVE-2017-10167", "CVE-2017-10014", "CVE-2017-10417", "CVE-2017-10037", "CVE-2015-5351", "CVE-2015-5254", "CVE-2017-10270", "CVE-2017-10387", "CVE-2017-10360", "CVE-2015-1792", "CVE-2017-10321", "CVE-2017-10060", "CVE-2015-0235", "CVE-2015-1793", "CVE-2017-10404", "CVE-2017-10311", "CVE-2017-10421", "CVE-2017-10353", "CVE-2017-10260", "CVE-2017-10203", "CVE-2016-9840", "CVE-2017-10419", "CVE-2017-10424", "CVE-2017-10399", "CVE-2017-10293", "CVE-2015-3197", "CVE-2017-10299", "CVE-2017-10158", "CVE-2017-10379", "CVE-2017-10414", "CVE-2017-10054", "CVE-2017-10357", "CVE-2017-10197", "CVE-2017-10361", "CVE-2017-10356", "CVE-2016-5019", "CVE-2017-10322", "CVE-2017-10323", "CVE-2017-10066", "CVE-2014-3572", "CVE-2017-5709", "CVE-2016-6306", "CVE-2017-5462", "CVE-2014-3613", "CVE-2017-7502", "CVE-2015-7181", "CVE-2015-0206", "CVE-2017-10369", "CVE-2015-1789", "CVE-2016-2183", "CVE-2017-10349", "CVE-2017-10284", "CVE-2017-10294", "CVE-2017-10325", "CVE-2017-10416", "CVE-2015-0286", "CVE-2017-10341", "CVE-2017-10420", "CVE-2017-10418", "CVE-2017-10367", "CVE-2016-2178", "CVE-2017-10164", "CVE-2013-1903", "CVE-2017-10400", "CVE-2017-3167", "CVE-2017-10281", "CVE-2015-3195", "CVE-2017-10351", "CVE-2017-10359", "CVE-2017-10381", "CVE-2017-10406", "CVE-2017-10348", "CVE-2017-10372", "CVE-2014-8714", "CVE-2017-10034", "CVE-2017-10328", "CVE-2016-0714", "CVE-2016-3092", "CVE-2014-3571", "CVE-2017-10397", "CVE-2017-10388", "CVE-2017-10330", "CVE-2017-10407", "CVE-2014-0076", "CVE-2017-10033", "CVE-2017-10342", "CVE-2017-10415", "CVE-2017-10408", "CVE-2016-6302", "CVE-2017-10344", "CVE-2017-10354", "CVE-2017-10338", "CVE-2017-10296", "CVE-2017-10292", "CVE-2017-10402", "CVE-2014-3587", "CVE-2017-10306", "CVE-2017-10365", "CVE-2017-10337", "CVE-2017-10426", "CVE-2016-8745", "CVE-2016-2177", "CVE-2017-10380", "CVE-2015-0288", "CVE-2017-10332", "CVE-2017-10378", "CVE-2014-0224", "CVE-2017-10026", "CVE-2017-10276", "CVE-2016-0635", "CVE-2017-10409", "CVE-2017-10166", "CVE-2017-10427", "CVE-2017-10422", "CVE-2015-3194", "CVE-2017-10355", "CVE-2017-10163", "CVE-2016-6515", "CVE-2017-10326", "CVE-2015-0285", "CVE-2016-2107", "CVE-2017-10153", "CVE-2016-7055", "CVE-2017-10382", "CVE-2015-7501", "CVE-2017-10364", "CVE-2017-10319", "CVE-2015-3253", "CVE-2017-3731", "CVE-2016-6307", "CVE-2016-0701", "CVE-2017-10398", "CVE-2017-10051", "CVE-2017-10308", "CVE-2017-10320", "CVE-2017-10287", "CVE-2017-10412", "CVE-2017-10334", "CVE-2016-9842", "CVE-2016-2834", "CVE-2017-10283", "CVE-2015-0899", "CVE-2017-10152", "CVE-2017-10264", "CVE-2016-1182", "CVE-2014-0065", "CVE-2016-0763", "CVE-2015-0207", "CVE-2017-10155", "CVE-2017-10271", "CVE-2017-10286", "CVE-2017-10304", "CVE-2016-6308", "CVE-2016-6816", "CVE-2016-7433", "CVE-2014-4342", "CVE-2017-5662", "CVE-2014-8275", "CVE-2016-2180", "CVE-2017-10411", "CVE-2017-10313", "CVE-2017-10194", "CVE-2015-7182", "CVE-2015-0208", "CVE-2015-2808", "CVE-2017-10347", "CVE-2014-3570", "CVE-2017-10227", "CVE-2015-7575", "CVE-2017-10370", "CVE-2017-10261", "CVE-2017-10425", "CVE-2017-5706", "CVE-2015-3196", "CVE-2017-10428", "CVE-2014-3470", "CVE-2017-10362", "CVE-2017-10309", "CVE-2016-2181", "CVE-2017-10391", "CVE-2016-6304", "CVE-2015-3193", "CVE-2017-10263", "CVE-2014-3538", "CVE-2017-10403", "CVE-2014-0114", "CVE-2017-10159", "CVE-2017-10410", "CVE-2017-3732", "CVE-2017-10383", "CVE-2017-10339", "CVE-2017-10340", "CVE-2014-0050", "CVE-2017-10327", "CVE-2017-10396", "CVE-2017-10300", "CVE-2014-3707", "CVE-2014-0064", "CVE-2017-10343", "CVE-2015-0293", "CVE-2017-10165", "CVE-2017-10316", "CVE-2017-3445", "CVE-2017-10373", "CVE-2016-1979", "CVE-2017-10363", "CVE-2017-10352", "CVE-2016-2381", "CVE-2014-8713", "CVE-2017-10279", "CVE-2015-7183", "CVE-2013-0255", "CVE-2017-10314", "CVE-2017-9805", "CVE-2015-1788", "CVE-2017-10055", "CVE-2014-0195", "CVE-2014-0198", "CVE-2017-10161", "CVE-2016-7052", "CVE-2015-0209", "CVE-2014-0063", "CVE-2016-1950", "CVE-2017-10333", "CVE-2015-0204", "CVE-2016-0706", "CVE-2013-0248", "CVE-2017-3733", "CVE-2017-5664", "CVE-2017-10312", "CVE-2017-10366", "CVE-2014-0060", "CVE-2017-10318", "CVE-2016-7429", "CVE-2016-1181", "CVE-2017-10268", "CVE-2017-10285", "CVE-2017-3446", "CVE-2017-10392", "CVE-2017-10413", "CVE-2016-9843", "CVE-2013-2566", "CVE-2016-8735", "CVE-2015-1790", "CVE-2017-10394", "CVE-2017-9788", "CVE-2017-10350", "CVE-2016-6305", "CVE-2016-6303", "CVE-2017-10275", "CVE-2017-10274", "CVE-2017-10190", "CVE-2013-1902", "CVE-2017-10315", "CVE-2015-0291", "CVE-2017-10317", "CVE-2017-10389", "CVE-2017-10385", "CVE-2017-10154", "CVE-2017-10395", "CVE-2017-3588", "CVE-2014-4345", "CVE-2017-10162", "CVE-2003-1418", "CVE-2016-2182", "CVE-2017-10358", "CVE-2017-10310", "CVE-2017-10077", "CVE-2017-10346", "CVE-2014-0062", "CVE-2017-10401", "CVE-2015-0287", "CVE-2017-7668", "CVE-2017-3444", "CVE-2017-10295", "CVE-2017-10393", "CVE-2017-10423", "CVE-2017-10280", "CVE-2017-5461", "CVE-2016-10165", "CVE-2014-0066", "CVE-2015-0289", "CVE-2016-9841", "CVE-2015-7940", "CVE-2017-3169", "CVE-2017-10065", "CVE-2016-5285", "CVE-2017-10368", "CVE-2015-0292", "CVE-2017-10375", "CVE-2017-10384", "CVE-2014-0107", "CVE-2017-10050", "CVE-2016-3506", "CVE-2017-10345", "CVE-2017-10303", "CVE-2017-10302", "CVE-2017-10259", "CVE-2017-10265", "CVE-2015-0290", "CVE-2017-3730", "CVE-2015-0205", "CVE-2017-10329", "CVE-2016-2179", "CVE-2017-10405", "CVE-2017-10277", "CVE-2016-6814", "CVE-2013-1900", "CVE-2015-1787", "CVE-2015-4852", "CVE-2014-0061", "CVE-2014-3569", "CVE-2017-10386", "CVE-2015-1791", "CVE-2017-10336", "CVE-2017-10335", "CVE-2016-7431", "CVE-2017-7679", "CVE-2014-0221", "CVE-2017-10331", "CVE-2017-10099"], "modified": "2018-02-15T00:00:00", "id": "ORACLE:CPUOCT2017-3236626", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:38", "references": [], "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\nThe January 2018 Critical Patch Update provides fixes for certain Oracle products for the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) Intel processor vulnerabilities. Please refer to this Advisory and the [Addendum to the January 2018 Critical Patch Update Advisory for Spectre and Meltdown](<https://support.oracle.com/rs?type=doc&id=2347948.1>) MOS note (Doc ID 2347948.1).\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.**\n\nThis Critical Patch Update contains 238 new security fixes across the product families listed below. Please note that a MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ January 2018 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2338411.1>).\n", "edition": 3, "reporter": "Oracle", "published": "2018-01-16T00:00:00", "title": "Oracle Critical Patch Update - January 2018", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle WebLogic Server", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Health Sciences Empirica Signal", "version": "8.0.1.0", "operator": "le"}, {"name": "Java SE", "version": "9.0.1", "operator": "le"}, {"name": "Oracle Retail Convenience and Fuel POS Software", "version": "2.1.132", "operator": "le"}, {"name": "Oracle Work in Process", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Communications User Data Repository", "version": "10.x", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Access Manager", "version": "10.1.4.3.0", "operator": "le"}, {"name": "Oracle Communications Unified Inventory Management", "version": "7.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "9.0.1", "operator": "le"}, {"name": "Oracle Financial Services Asset Liability Management", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.6", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.3.0", "operator": "le"}, {"name": "Oracle Financial Services Price Creation and Discovery", "version": "8.0.5", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle WebCenter Sites", "version": "11.1.1.8.0", "operator": "le"}, {"name": "Oracle Directory Server Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.2.4.2.x", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.5.0", "operator": "le"}, {"name": "Oracle Argus Safety", "version": "7.x", "operator": "le"}, {"name": "Oracle Retail Assortment Planning", "version": "16.0.1", "operator": "le"}, {"name": "Oracle User Management", "version": "12.2.6", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.6.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u152", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Retail Assortment Planning", "version": "14.1.3", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.5", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.9", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Human Resources", "version": "9.2", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Retail Merchandising System", "version": "16.0", "operator": "le"}, {"name": "Java VM", "version": "11.2.0.4", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.4", "operator": "le"}, {"name": "Oracle Agile PLM MCAD Connector", "version": "3.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.6.0", "operator": "le"}, {"name": "Oracle Tuxedo System and Applications Monitor", "version": "12.1.3.0.0", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.2", "operator": "le"}, {"name": "Oracle Retail Fiscal Management", "version": "14.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.2.6", "operator": "le"}, {"name": "Oracle Financial Services Market Risk Measurement and Management", "version": "8.0.5", "operator": "le"}, {"name": "Oracle Work in Process", "version": "12.2.6", "operator": "le"}, {"name": "Java SE", "version": "8u152", "operator": "le"}, {"name": "Oracle Hospitality Guest Access", "version": "4.2.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Identity Manager Connector", "version": "9.0.4.20.6", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.1", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM eProcurement", "version": "9.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.2.1.2.0", "operator": "le"}, {"name": "MICROS Handheld Terminal", "version": "02.13.0701", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.2.4", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.1.0.2", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.2.0", "operator": "le"}, {"name": "Oracle Financial Services Loan Loss Forecasting and Provisioning", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Identity Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.8", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.5.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "10.3.6.0.0", "operator": "le"}, {"name": "Oracle Communications Convergent Charging Controller", "version": "6.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.6", "operator": "le"}, {"name": "Agile Material and Equipment Management for Pharmaceuticals", "version": "9.3.4", "operator": "le"}, {"name": "PeopleSoft Enterprise SCM Purchasing", "version": "9.2", "operator": "le"}, {"name": "Primavera Unifier", "version": "16.x", "operator": "le"}, {"name": "Oracle Argus Safety", "version": "8.0.x", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.7", "operator": "le"}, {"name": "Oracle Communications Services Gatekeeper", "version": "6.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.0.x.x", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "4.x", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.5", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.2.0", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Siebel Engineering - Installer & Deployment", "version": "16.0", "operator": "le"}, {"name": "Oracle Secure Global Desktop (SGD)", "version": "5.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "6u171", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.4.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.56", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "6.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.19", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.5", "operator": "le"}, {"name": "Oracle User Management", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.7", "operator": "le"}, {"name": "MySQL Connectors", "version": "5.3.9", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.2.0", "operator": "le"}, {"name": "Oracle Mobile Security Suite", "version": "3.0.1", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.3", "operator": "le"}, {"name": "Oracle RDBMS", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Retail Customer Management and Segmentation Foundation", "version": "16.0.x", "operator": "le"}, {"name": "Oracle Hospitality Cruise Fleet Management", "version": "9.0.4.0", "operator": "le"}, {"name": "Java SE, JRockit", "version": "7u161", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Reconciliation Framework", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Retail Workforce Management", "version": "1.64.0", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "8u152", "operator": "le"}, {"name": "Oracle User Management", "version": "12.2.7", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.7.1", "operator": "le"}, {"name": "Oracle Work in Process", "version": "12.2.4", "operator": "le"}, {"name": "Oracle X86 Servers", "version": "1.x", "operator": "le"}, {"name": "Oracle Banking Corporate Lending", "version": "12.4.0", "operator": "le"}, {"name": "Oracle Work in Process", "version": "12.2.5", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "9.0.1", "operator": "le"}, {"name": "Java VM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.4", "operator": "le"}, {"name": "Oracle Financial Services Market Risk", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Health Sciences Empirica Inspections", "version": "1.0.1.1", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Oracle Autovue for Agile Product Lifecycle Management", "version": "21.0.1", "operator": "le"}, {"name": "Oracle Hospitality Simphony", "version": "2.7", "operator": "le"}, {"name": "Oracle Access Manager", "version": "11.1.2.3.0", "operator": "le"}, {"name": "Oracle Internet Directory", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.4", "operator": "le"}, {"name": "WLM (Apache Tomcat)", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.7.0", "operator": "le"}, {"name": "Oracle Hospitality Cruise Shipboard Property Management System", "version": "7.3.874", "operator": "le"}, {"name": "Oracle Work in Process", "version": "12.1.1", "operator": "le"}, {"name": "Sun ZFS Storage Appliance Kit (AK)", "version": "8.7.13", "operator": "le"}, {"name": "Oracle Application Express", "version": "5.1.4.00.08", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Solaris", "version": "10", "operator": "le"}, {"name": "Converged Commerce", "version": "16.0.1", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.3.6.3293", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.7.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.8.1", "operator": "le"}, {"name": "Oracle User Management", "version": "12.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil", "version": "9.1", "operator": "le"}, {"name": "Oracle Internet Directory", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Retail Workforce Management", "version": "1.60.7", "operator": "le"}, {"name": "Oracle Communications BRM - Elastic Charging Engine", "version": "7.5", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u171", "operator": "le"}, {"name": "Oracle Work in Process", "version": "12.1.2", "operator": "le"}, {"name": "OSS Support Tools", "version": "2.11.33", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.0", "operator": "le"}, {"name": "Oracle WebCenter Portal", "version": "12.2.1.2.0", "operator": "le"}, {"name": "MICROS Retail XBRi Loss Prevention", "version": "10.0.1", "operator": "le"}, {"name": "Siebel CRM Desktop", "version": "16.0", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM Human Resources", "version": "9.1", "operator": "le"}, {"name": "Java SE, JRockit", "version": "6u171", "operator": "le"}, {"name": "Oracle Identity Manager Connector", "version": "9.0.4.21.0", "operator": "le"}, {"name": "Siebel CRM Desktop", "version": "17.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Financial Services Asset Liability Management", "version": "6.1.x", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.1.3", "operator": "le"}, {"name": "MySQL Connectors", "version": "6.10.4", "operator": "le"}, {"name": "Oracle User Management", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Argus Safety", "version": "8.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Direct Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.3", "operator": "le"}, {"name": "MySQL Server", "version": "5.6.38", "operator": "le"}, {"name": "Oracle Autovue for Agile Product Lifecycle Management", "version": "21.0.0", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Primavera Unifier", "version": "17.x", "operator": "le"}, {"name": "Oracle Communications Services Gatekeeper", "version": "5.1", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "7u161", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.3", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.3.0", "operator": "le"}, {"name": "Oracle X86 Servers", "version": "2.x", "operator": "le"}, {"name": "Oracle Work in Process", "version": "12.2.7", "operator": "le"}, {"name": "Java ME SDK", "version": "8.3", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.1", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.7", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.4.0", "operator": "le"}, {"name": "Oracle RDBMS", "version": "11.2.0.4", "operator": "le"}, {"name": "Primavera Unifier", "version": "15.x", "operator": "le"}, {"name": "Oracle Communications Application Session Controller", "version": "3.x", "operator": "le"}, {"name": "Oracle Internet Directory", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Hospitality Cruise Dining Room Management", "version": "8.0.78", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "8.5.1", "operator": "le"}, {"name": "Application Server", "version": "12.1.3", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Financial Services Profitability Management", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Agile PLM", "version": "9.3.5", "operator": "le"}, {"name": "Oracle Banking Payments", "version": "12.3.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.1", "operator": "le"}, {"name": "Oracle Communications Unified Inventory Management", "version": "7.2.4.2.x", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "4.0.0.5135", "operator": "le"}, {"name": "Oracle Identity Manager Connector", "version": "9.0.4.25.4", "operator": "le"}, {"name": "Agile Material and Equipment Management for Pharmaceuticals", "version": "9.3.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.7.20", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.2.4", "operator": "le"}, {"name": "Hyperion BI+", "version": "11.1.2.4", "operator": "le"}, {"name": "Oracle Financial Services Funds Transfer Pricing", "version": "6.1.x", "operator": "le"}, {"name": "Oracle Agile PLM MCAD Connector", "version": "3.3", "operator": "le"}, {"name": "Oracle Financial Services Hedge Management and IFRS Valuations", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle General Ledger", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Endeca Information Discovery Integrator", "version": "3.1.0", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle Hyperion Planning", "version": "11.1.2.4.007", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.4.4.4226", "operator": "le"}, {"name": "Integrated Lights Out Manager (ILOM)", "version": "3.x", "operator": "le"}, {"name": "Oracle Hospitality Labor Management", "version": "8.5.1", "operator": "le"}, {"name": "Siebel Engineering - Installer & Deployment", "version": "17.0", "operator": "le"}, {"name": "Oracle Banking Payments", "version": "12.4.0", "operator": "le"}, {"name": "Oracle Communications User Data Repository", "version": "12.x", "operator": "le"}, {"name": "Oracle Financial Services Analytical Applications Infrastructure", "version": "7.3.5.x", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.1", "operator": "le"}, {"name": "Java SE", "version": "7u161", "operator": "le"}, {"name": "Oracle Retail Assortment Planning", "version": "15.0.3", "operator": "le"}, {"name": "Oracle Business Intelligence Enterprise Edition", "version": "11.1.1.7.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.2.4.1.x", "operator": "le"}, {"name": "Oracle Banking Corporate Lending", "version": "12.3.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.1.3", "operator": "le"}, {"name": "Java VM", "version": "12.2.0.1", "operator": "le"}, {"name": "Oracle Financial Services Liquidity Risk Management", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.2", "operator": "le"}, {"name": "Oracle Agile PLM MCAD Connector", "version": "3.6", "operator": "le"}, {"name": "Primavera Unifier", "version": "10.x", "operator": "le"}, {"name": "Oracle iPlanet Web Server", "version": "7.0", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.58", "operator": "le"}, {"name": "Java Advanced Management Console", "version": "2.8", "operator": "le"}, {"name": "PeopleSoft Enterprise FSCM", "version": "9.2", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.4.3", "operator": "le"}, {"name": "Oracle Financial Services Balance Sheet Planning", "version": "8.0.x", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.0.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.7", "operator": "le"}, {"name": "Oracle User Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Financial Services Profitability Management", "version": "6.1.x", "operator": "le"}, {"name": "MySQL Connectors", "version": "6.9.9", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.1.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "7u161", "operator": "le"}, {"name": "Oracle Communications Order and Service Management", "version": "7.3.0.1.x", "operator": "le"}, {"name": "PeopleSoft Enterprise PRTL Interaction Hub", "version": "9.1.00", "operator": "le"}, {"name": "Hyperion Data Relationship Management", "version": "11.1.2.4.330", "operator": "le"}, {"name": "Oracle VM VirtualBox", "version": "5.1.32", "operator": "le"}, {"name": "Oracle Hospitality Labor Management", "version": "9.0.0", "operator": "le"}, {"name": "MICROS Relate CRM Software", "version": "10.8.x", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Direct Banking", "version": "12.0.2", "operator": "le"}, {"name": "MICROS Relate CRM Software", "version": "11.4.x", "operator": "le"}, {"name": "Oracle Agile PLM MCAD Connector", "version": "3.5", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2.11", "operator": "le"}, {"name": "Oracle Work in Process", "version": "12.2.3", "operator": "le"}, {"name": "Oracle WebCenter Content", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.4", "operator": "le"}, {"name": "Solaris", "version": "11.3", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Financial Services Funds Transfer Pricing", "version": "8.0.x", "operator": "le"}, {"name": "Oracle Agile Engineering Data Management", "version": "6.2.1", "operator": "le"}, {"name": "Oracle Hospitality Reporting and Analytics", "version": "9.0.0", "operator": "le"}, {"name": "PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina", "version": "9.1", "operator": "le"}, {"name": "Oracle HTTP Server", "version": "12.2.1.3.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.3.2", "operator": "le"}], "cvelist": ["CVE-2018-2654", "CVE-2018-2731", "CVE-2018-2691", "CVE-2018-2617", "CVE-2018-2618", "CVE-2018-2722", "CVE-2016-2518", "CVE-2018-2687", "CVE-2018-2653", "CVE-2018-2723", "CVE-2017-9798", "CVE-2018-2679", "CVE-2018-2560", "CVE-2018-2659", "CVE-2018-2565", "CVE-2018-2626", "CVE-2017-5753", "CVE-2018-2561", "CVE-2017-5754", "CVE-2018-2583", "CVE-2018-2661", "CVE-2018-2589", "CVE-2016-5385", "CVE-2018-2656", "CVE-2018-2620", "CVE-2018-2623", "CVE-2017-13079", "CVE-2018-2566", "CVE-2018-2625", "CVE-2018-2650", "CVE-2017-13080", "CVE-2016-6306", "CVE-2018-2733", "CVE-2018-2582", "CVE-2016-2183", "CVE-2018-2717", "CVE-2018-2681", "CVE-2018-2728", "CVE-2018-2708", "CVE-2018-2663", "CVE-2018-2606", "CVE-2018-2709", "CVE-2016-7977", "CVE-2016-2178", "CVE-2018-2672", "CVE-2018-2646", "CVE-2018-2578", "CVE-2016-9878", "CVE-2017-3735", "CVE-2017-10273", "CVE-2015-3195", "CVE-2018-2567", "CVE-2017-0781", "CVE-2018-2586", "CVE-2018-2624", "CVE-2018-2632", "CVE-2018-2570", "CVE-2018-2669", "CVE-2018-2707", "CVE-2018-2635", "CVE-2018-2716", "CVE-2016-6302", "CVE-2018-2633", "CVE-2017-13082", "CVE-2018-2644", "CVE-2018-2696", "CVE-2018-2562", "CVE-2018-2724", "CVE-2016-2177", "CVE-2018-2639", "CVE-2014-9402", "CVE-2018-2698", "CVE-2018-2726", "CVE-2018-2638", "CVE-2016-0635", "CVE-2016-2105", "CVE-2018-2693", "CVE-2018-2590", "CVE-2018-2732", "CVE-2018-2636", "CVE-2016-2107", "CVE-2016-7055", "CVE-2018-2727", "CVE-2018-2637", "CVE-2018-2649", "CVE-2015-7501", "CVE-2018-2706", "CVE-2018-2673", "CVE-2018-2677", "CVE-2015-3253", "CVE-2018-2605", "CVE-2017-3731", "CVE-2018-2703", "CVE-2018-2721", "CVE-2017-0785", "CVE-2017-3737", "CVE-2018-2692", "CVE-2018-2571", "CVE-2018-2607", "CVE-2017-9072", "CVE-2018-2690", "CVE-2018-2725", "CVE-2018-2609", "CVE-2018-2630", "CVE-2016-1182", "CVE-2018-2711", "CVE-2017-10301", "CVE-2018-2710", "CVE-2018-2604", "CVE-2018-2612", "CVE-2018-2600", "CVE-2017-13078", "CVE-2018-2664", "CVE-2016-2180", "CVE-2018-2676", "CVE-2015-2808", "CVE-2018-2619", "CVE-2018-2574", "CVE-2018-2581", "CVE-2018-2603", "CVE-2018-2682", "CVE-2017-5715", "CVE-2016-2109", "CVE-2018-2701", "CVE-2016-2181", "CVE-2018-2593", "CVE-2016-6304", "CVE-2016-4449", "CVE-2017-0783", "CVE-2014-0114", "CVE-2017-3732", "CVE-2018-2599", "CVE-2018-2643", "CVE-2018-2666", "CVE-2018-2688", "CVE-2015-0293", "CVE-2018-2662", "CVE-2018-2601", "CVE-2018-2667", "CVE-2018-2668", "CVE-2018-2729", "CVE-2017-10352", "CVE-2016-2550", "CVE-2018-2564", "CVE-2018-2610", "CVE-2018-2660", "CVE-2018-2577", "CVE-2018-2569", "CVE-2018-2658", "CVE-2016-7052", "CVE-2018-2640", "CVE-2018-2613", "CVE-2018-2596", "CVE-2018-2705", "CVE-2017-10282", "CVE-2007-6750", "CVE-2018-2714", "CVE-2018-2674", "CVE-2018-2730", "CVE-2018-2647", "CVE-2018-2584", "CVE-2018-2641", "CVE-2014-7817", "CVE-2017-5664", "CVE-2018-2629", "CVE-2018-2585", "CVE-2016-0800", "CVE-2018-2615", "CVE-2018-2685", "CVE-2018-2699", "CVE-2018-2597", "CVE-2018-2616", "CVE-2018-2697", "CVE-2016-1181", "CVE-2018-2621", "CVE-2018-2627", "CVE-2018-2720", "CVE-2017-10262", "CVE-2018-2588", "CVE-2013-2566", "CVE-2016-8735", "CVE-2018-2648", "CVE-2018-2594", "CVE-2017-3738", "CVE-2018-2634", "CVE-2018-2602", "CVE-2016-0704", "CVE-2016-6303", "CVE-2018-2670", "CVE-2016-5387", "CVE-2018-2591", "CVE-2017-13081", "CVE-2018-2645", "CVE-2018-2655", "CVE-2017-5645", "CVE-2016-2182", "CVE-2018-2651", "CVE-2018-2608", "CVE-2018-2592", "CVE-2018-2712", "CVE-2018-2665", "CVE-2018-2652", "CVE-2017-12617", "CVE-2018-2657", "CVE-2016-0703", "CVE-2018-2700", "CVE-2015-1472", "CVE-2017-5461", "CVE-2018-2675", "CVE-2018-2671", "CVE-2018-2575", "CVE-2018-2684", "CVE-2015-7940", "CVE-2018-2580", "CVE-2017-3736", "CVE-2018-2704", "CVE-2018-2642", "CVE-2017-13077", "CVE-2018-2702", "CVE-2018-2713", "CVE-2018-2678", "CVE-2018-2622", "CVE-2018-2573", "CVE-2018-2715", "CVE-2018-2595", "CVE-2018-2579", "CVE-2016-2179", "CVE-2017-10068", "CVE-2018-2568", "CVE-2016-2106", "CVE-2018-2576", "CVE-2016-6814", "CVE-2015-7547", "CVE-2018-2614", "CVE-2018-2686", "CVE-2018-2631", "CVE-2015-4852", "CVE-2018-2694", "CVE-2018-2689", "CVE-2018-2719", "CVE-2017-0782", "CVE-2018-2611", "CVE-2018-2683", "CVE-2018-2680", "CVE-2018-2695"], "modified": "2018-03-20T00:00:00", "id": "ORACLE:CPUJAN2018-3236628", "href": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T04:13:48", "references": [], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 270 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using version 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "edition": 3, "reporter": "Oracle", "published": "2017-01-17T00:00:00", "title": "Oracle Critical Patch Update - January 2017", "type": "oracle", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Oracle Service Fulfillment Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Service Fulfillment Manager", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Customer Interaction History", "version": "12.1.3", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.2.2", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "13.2", "operator": "le"}, {"name": "OJVM", "version": "12.1.0.2", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "16.0", "operator": "le"}, {"name": "Java SE", "version": "8u112", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Direct Banking", "version": "12.0.0", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.1.3.0.0", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.1.1", "operator": "le"}, {"name": "Oracle VM Server for Sparc", "version": "3.2", "operator": "le"}, {"name": "Oracle Tuxedo", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Communications Indexing and Search Service", "version": "1.0.5.28.0", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "13.1", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.3", "operator": "le"}, {"name": "Oracle XML Gateway", "version": "12.2.6", "operator": "le"}, {"name": "Oracle XML Gateway", "version": "12.2.3", "operator": "le"}, {"name": "Java SE, Java SE Embedded", "version": "6u131", "operator": "le"}, {"name": "Oracle FLEXCUBE Enterprise Limits and Collateral Management", "version": "12.0.2", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.5", "operator": "le"}, {"name": "MySQL Server", "version": "5.5.53", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "14.1", "operator": "le"}, {"name": "Oracle Service Fulfillment Manager", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.3", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "13.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Leads Management", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Application Object Library", "version": "12.2.3", "operator": "le"}, {"name": "Oracle XML Gateway", "version": "12.1.3", "operator": "le"}, {"name": "MICROS Lucas", "version": "2.9.1", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.4", "operator": "le"}, {"name": "MySQL Cluster", "version": "7.4.12", "operator": "le"}, {"name": "Oracle Installed Base", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Marketing", "version": "12.2.6", "operator": "le"}, {"name": "Oracle XML Gateway", "version": "12.1.1", "operator": "le"}, {"name": "Oracle Outside In Technology", "version": "8.5.2", "operator": "le"}, {"name": "Application Testing Suite", "version": "12.4.0.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "12.0.1", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "15.2", "operator": "le"}, {"name": "JD Edwards EnterpriseOne Tools", "version": "9.2", "operator": "le"}, {"name": "Oracle GlassFish Server", "version": "2.1.1", "operator": "le"}, {"name": "Oracle Applications DBA", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.2.0", "operator": "le"}, {"name": "Oracle CRM Technical Foundation", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.2.4", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "13.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "12.2.1.2.0", "operator": "le"}, {"name": "MySQL Cluster", "version": "7.3.14", "operator": "le"}, {"name": "Oracle Customer Intelligence", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "15.0", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.55", "operator": "le"}, {"name": "Oracle Common Applications", "version": "12.2.6", "operator": "le"}, {"name": "Oracle Knowledge Management", "version": "12.1.1", "operator": "le"}, {"name": "MySQL Cluster", "version": "7.3.8", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.0.4", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "4.1", "operator": "le"}, {"name": "PeopleSoft Enterprise HCM ePerformance", "version": "9.2", "operator": "le"}, {"name": "MICROS Lucas", "version": "2.9.2", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.4", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.2", "operator": "le"}, {"name": "Oracle Partner Management", "version": "12.2.5", "operator": "le"}, {"name": "Oracle Partner Management", "version": "12.1.3", "operator": "le"}, {"name": "MySQL Cluster", "version": "7.2.19", "operator": "le"}, {"name": "Oracle Retail Predictive Application Server", "version": "13.2", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.2.1.1049", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "12.0", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.1.3.7856", "operator": "le"}, {"name": "Oracle Interaction Blending", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Retail Order Broker", "version": "5.1", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.3", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.3.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.1.0", "operator": "le"}, {"name": "Oracle Retail Predictive Application Server", "version": "13.1", "operator": "le"}, {"name": "Oracle Retail Predictive Application Server", "version": "13.4", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.1.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "11.4.0", "operator": "le"}, {"name": "Oracle XML Gateway", "version": "12.1.2", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.2.1.0", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.0.2", "operator": "le"}, {"name": "Application Testing Suite", "version": "12.5.0.3", "operator": "le"}, {"name": "MICROS Lucas", "version": "2.9.4", "operator": "le"}, {"name": "Oracle Email Center", "version": "12.2.6", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.2.4.1102", "operator": "le"}, {"name": "Oracle Retail Predictive Application Server", "version": "14.0", "operator": "le"}, {"name": "MICROS Lucas", "version": "2.9.3", "operator": "le"}, {"name": "Oracle iSupport", "version": "12.1.2", "operator": "le"}, {"name": "Oracle iStore", "version": "12.1.3", "operator": "le"}, {"name": "Oracle iStore", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Transportation Management", "version": "6.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Universal Banking", "version": "12.2.0", "operator": "le"}, {"name": "Oracle WebLogic Server", "version": "12.1.3.0", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.4", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.3", "operator": "le"}, {"name": "Oracle One-to-One Fulfillment", "version": "12.2.5", "operator": "le"}, {"name": "Enterprise Manager Base Platform", "version": "13.2", "operator": "le"}, {"name": "Oracle Service Fulfillment Manager", "version": "12.1.3", "operator": "le"}, {"name": "PeopleSoft Enterprise PeopleTools", "version": "8.54", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.3.0.1098", "operator": "le"}, {"name": "Java SE, Java SE Embedded, JRockit", "version": "8u112", "operator": "le"}, {"name": "Oracle Commerce Platform", "version": "11.2.0.2", "operator": "le"}, {"name": "MySQL Enterprise Monitor", "version": "3.1.5.7958", "operator": "le"}, {"name": "Oracle Retail Allocation", "version": "14.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Enterprise Limits and Collateral Management", "version": "12.0.0", "operator": "le"}, {"name": "Oracle Communications Network Charging and Control", "version": "5.0.0.1", "operator": "le"}, {"name": "Oracle Service Fulfillment Manager", "version": "12.2.3", "operator": "le"}, {"name": "Oracle Partner Management", "version": "12.2.6", "operator": "le"}, {"name": "Siebel UI Framework", "version": "16.1", "operator": "le"}, {"name": "Oracle Partner Management", "version": "12.1.2", "operator": "le"}, {"name": "Oracle Advanced Outbound Telephony", "version": "12.1.2", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.2.4.0", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "8.4", "operator": "le"}, {"name": "Oracle Universal Work Queue", "version": "12.2.5", "operator": "le"}, {"name": "Primavera P6 Enterprise Project Portfolio Management", "version": "15.1", "operator": "le"}, {"name": "Oracle Retail Price Management", "version": "13.1", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "2.2.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "5.1.0", "operator": "le"}, {"name": "PHP", "version": "12.1.0.3", "operator": "le"}, {"name": "Oracle Applications Manager", "version": "12.1.3", "operator": "le"}, {"name": "Oracle Partner Management", "version": "12.1.1", "operator": "le"}, {"name": "Oracle JDeveloper", "version": "11.1.1.9.0", "operator": "le"}, {"name": "Java SE", "version": "6u131", "operator": "le"}, {"name": "Oracle FLEXCUBE Core Banking", "version": "11.5.0", "operator": "le"}, {"name": "Oracle FLEXCUBE Private Banking", "version": "2.0.1", "operator": "le"}, {"name": "Application Testing Suite", "version": "12.5.0.2", "operator": "le"}, {"name": "Oracle FLEXCUBE Investor Servicing", "version": "12.0.1", "operator": "le"}, {"name": "Enterprise Manager Ops Center", "version": "12.1.4", "operator": "le"}, {"name": "Oracle Retail Assortment Planning", "version": "14.1", "operator": "