Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symantecSymantec Security ResponseSMNTC-1363
HistoryMay 09, 2016 - 8:00 a.m.

SA123 : OpenSSL Vulnerabilities 3-May-2016

2016-05-0908:00:00
Symantec Security Response
35

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

SUMMARY

Blue Coat products using affected versions of OpenSSL are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to intercept and decrypt TLS sessions, obtain arbitrary data from the target’s memory stack, or execute arbitrary code through buffer underflow and overflow. The attacker can also cause denial of service through memory corruption and depletion.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106
CVE-2016-2107, CVE-2016-2108,
CVE-2016-2109 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.1.

Android Mobile Agent

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108,
CVE-2016-2109 | 1.3 | Upgrade to 1.3.8.

BCAAA

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108,
CVE-2016-2109, CVE-2016-2176 | 6.1 (only when a Novell SSO realm is used) | An updated Novell SSO SDK is no longer available. Please, contact Novell for more information.

CacheFlow

CVE |Affected Version(s)|Remediation
CVE-2016-2108, CVE-2016-2109 | 3.4 | Upgrade to 3.4.2.7.

Client Connector

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108,
CVE-2016-2109 | 1.6 | Upgrade to latest release of Unified Agent with fixes.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108,
CVE-2016-2109 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
1.3 | Upgrade to 1.3.7.1.
1.2 | Upgrade to later release with fixes.

Director

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, CVE-2016-2109,
CVE-2016-2176 | 6.1 | Upgrade to 6.1.23.1.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108,
CVE-2016-2109 | 1.1 | Not available at this time

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2107,
CVE-2016-2108 | 4.2 | Upgrade to 4.2.11.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, CVE-2016-2109 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.5 | Upgrade to later release with fixes.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107 (only on certain hardware platforms), CVE-2016-2108,
CVE-2016-2109 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107 (only on certain hardware platforms), CVE-2016-2108,
CVE-2016-2109 | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107 (only on certain hardware platforms), CVE-2016-2108,
CVE-2016-2109 | 5.3 | Upgrade to 5.3.6.

PacketShaper (PS)

CVE |Affected Version(s)|Remediation
CVE-2016-2106, CVE-2016-2109 | 9.2 | Upgrade to 9.2.13p2.
CVE-2016-2108 | 9.2 | Upgrade to 9.2.13p1.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-2106, CVE-2016-2107,
CVE-2016-2108 | 11.6 and later | Not vulnerable, fixed in 11.6.1.1
11.5 | Upgrade to 11.5.3.2.
11.2, 11.3, 11.4 | Upgrade to later release with fixes.

PolicyCenter (PC)

CVE |Affected Version(s)|Remediation
CVE-2016-2106, CVE-2016-2109 | 9.2 | Upgrade to 9.2.13p2.
CVE-2016-2108 | 9.2 | Upgrade to 9.2.13p1.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-2106, CVE-2016-2107,
CVE-2016-2108. | 1.1 | Upgrade to 1.1.2.2.

ProxyAV

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, CVE-2016-2109,
CVE-2016-2176 | 3.5 | Upgrade to 3.5.4.2.

ProxyClient

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108,
CVE-2016-2109 | 3.4 | Upgrade to latest release of Unified Agent with fixes.

ProxySG

CVE |Affected Version(s)|Remediation
CVE-2016-2107 (only on certain hardware platforms), CVE-2016-2108,
CVE-2016-2109 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1.
6.6 | Upgrade to 6.6.4.1.
6.5 | Upgrade to 6.5.9.8.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2108,
CVE-2016-2109 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.2.
9.5 | Upgrade to 9.5.4.1.
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, CVE-2016-2109 | 9.4 | Upgrade to later release with fixes.

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2016-2176 | 7.2 and later | Not vulnerable, fixed in 7.2.1
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2108, CVE-2016-2109 | 7.1 | Apply RPM patch from customer support.
7.0 | Not available at this time
6.6 | Apply RPM patch from customer support.
CVE-2016-2107 | 7.1 | Apply RPM patch from customer support.
6.6 | Apply RPM patch from customer support.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107 (only on certain hardware platforms), CVE-2016-2108,
CVE-2016-2109. | 3.10 and later | Not vulnerable, fixed in 3.10.1.1
3.9 | Upgrade to 3.9.3.6.
3.8.4FC | Upgrade to 3.8.4FC-55.
3.8 | Upgrade to later release with fixes.

Unified Agent

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2016-2176 | 4.7 and later | Not vulnerable, fixed in 4.7.1
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107, CVE-2016-2109 | 4.6 | Upgrade to later release with fixes.
All CVEs except CVE-2016-2176 | 4.1 | Upgrade to later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2016-2105, CVE-2016-2106,
CVE-2016-2107 (only on certain hardware platforms), CVE-2016-2108,
CVE-2016-2109 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations. Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services. Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below:

  • CacheFlow: All CVEs affect only management connections.
  • ProxySG: CVE-2016-2109 affects only management connections.

Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Some Blue Coat products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

  • CacheFlow: CVE-2016-2105, CVE-2016-2106, and CVE-2016-2107
  • MAA: CVE-2016-2106 and CVE-2016-2109
  • MC: CVE-2016-2107
  • PacketShaper: CVE-2016-2105
  • PacketShaper S-Series: CVE-2016-2105 and CVE-2016-2109
  • PolicyCenter: CVE-2016-2105
  • PolicyCenter S-Series: CVE-2016-2105 and CVE-2016-2109
  • ProxyAV: CVE-2016-2107
  • ProxySG: CVE-2016-2105 and CVE-2016-2106

Some Blue Coat hardware platforms do not support the AESNI instruction set in their CPU architectures. The products and hardware platforms listed below do not support AESNI, do not use the AESNI-based AES implementation in OpenSSL, and are thus not vulnerable to CVE-2016-2107. However, a fix for this CVE will be included in the software patches that are provided.

  • ICSP: AFL2-12A-D525, customer-provided hardware platforms that do not support AESNI
  • NNP: customer-provided hardware platforms that do not support AESNI
  • NSP: customer-provided hardware platforms that do not support AESNI
  • ProxySG: SG300, SG600, SG900, SG9000
  • Security Analytics: customer-provided hardware platforms that do not support AESNI
  • SSLV: SV1800
  • XOS: APM-8650, CPM-8600, CPM-9600

The following products are not vulnerable:
AuthConnector
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
ProxyAV ConLog and ConLogXP
Web Isolation

Information for the following products is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
IntelligenceCenter
IntelligenceCenter Data Collector

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-2105

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 89757 / NVD: CVE-2016-2105 Impact| Denial of service, code execution Description | A flaw in the Base64 encoding module allows a remote attacker to supply large input data and trigger a heap overflow, resulting in denial of service and possibly arbitrary code execution.

CVE-2016-2106

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 89744 / NVD: CVE-2016-2106 Impact| Denial of service, code execution Description | A flaw in the generic symmetric encryption/decryption module allows a remote attacker to supply large input data and trigger a heap overflow, resulting in denial of service and possibly arbitrary code execution.

CVE-2016-2107

Severity / CVSSv2 | Low / 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 89760 / NVD: CVE-2016-2107 Impact| Information disclosure Description | A flaw introduced as part of the fix for CVE-2013-0169 (Lucky13) allows a remote man-in-the-middle (MITM) attacker to perform a padding oracle attack and decrypt intercepted TLS traffic when the TLS sessions use AES CBC cipher suites and the server supports AESNI. The CVSS v2 score for CVE-2016-2107 listed in this Security Advisory is published by the National Vulnerability Database (NVD). The effective CVSS v2 score my be higher for Blue Coat products if the decrypted plaintext contains cookie or password information.

CVE-2016-2108

Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 89752 / NVD: CVE-2016-2108 Impact| Denial of service, code execution Description | A flaw in the ASN.1 encoder allows a remote attacker to send a crafted X.509 certificate and trigger a buffer underflow on the target if it parses and re-encodes the certificate. Parsing and re-encoding occurs only if the target successfully verifies that certificate signature. Exploiting this vulnerability can result in denial of service through memory corruption and possible arbitrary code execution.

CVE-2016-2109

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 87940 / NVD: CVE-2016-2109 Impact| Denial of service Description | A flaw in the ASN.1 decoder allows a remote attacker to send crafted ASN.1 data and trigger excessive memory allocation on the target. This can result in denial of service through memory depletion.

CVE-2016-2176

Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) References| SecurityFocus: BID 89746 / NVD: CVE-2016-2176 Impact| Information disclosure Description | An overread flaw in X.509 certificate ASN.1 string parsing on EBCDIC systems allows a remote attacker to send crafted X.509 certificates and obtain arbitrary data from the target’s memory stack.

MITIGATION

These vulnerabilities can be exploited in CacheFlow only through the management interface. Allowing only machines, IP addresses and subnets from a trusted network to access the CacheFlow management interface reduces the threat of exploiting the vulnerabilities.

REFERENCES

OpenSSL Security Advisory - <https://www.openssl.org/news/secadv/20160503.txt&gt;
CVE-2013-0169 (Lucky13) - <https://nvd.nist.gov/vuln/detail/CVE-2013-0169&gt;

REVISION

2020-04-22 Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-01-10 A fix for Director 6.1 is available in 6.1.23.1.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2018-04-06 A fix for Reporter 9.5 is available in 9.5.4.1.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-21 Reporter 9.4, 9.5, and 10.1 are vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. Reporter 9.5 and 10.1 are also vulnerable to CVE-2016-2107. A fix for Reporter 10.1 is available in 10.1.4.2.
2017-07-20 MC 1.10 is not vulnerable.
2016-06-30 A fix for ProxyAV 3.5 is available in 3.5.4.2.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-18 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable. ProxySG 6.7 is not vulnerable. SSLV 4.0 is not vulnerable.
2017-02-07 A fix for Android Mobile Agent is available in 1.3.8. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-19 A fix for MAA is available in 4.2.11.
2016-12-04 PacketShaper S-Series 11.7 is not vulnerable.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-03 A fix for all CVEs in PacketShaper 9.2 is available in 9.2.13p2. A fix for all CVEs in PolicyCenter 9.2 is available in 9.2.13p2.
2016-11-02 Further investigation in the MAA fixes has shown that all MAA 4.2 releases are vulnerable. A fix is not available at this time.
2016-10-26 A fix for ASG is available in 6.6.5.1. A fix for MC 1.6 is available in 1.6.1.1. MC 1.7 is not vulnerable. A fix for MC 1.5 will not be provided. MAA 4.2.10 accidentally re-introduced the vulnerabilities and is vulnerable to CVE-2016-2105, CVE-2016-2107 (all supported hardware platforms) and CVE-2016-2108.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-19 A fix for CacheFlow is available in 3.4.2.7.
2016-08-12 A fix for CAS 1.3 is availabe in 1.3.7.1. Security Analytics 7.2 is not vulnerable.
2016-08-10 A fix for Unified Agent is available in 4.7.1.
2016-07-19 ProxySG is not vulnerable to CVE-2016-2107 when running on the SG300 and SG600 hardware platforms. CVE-2016-2109 on ProxySG only affects management connections. CVE-2016-2108 can be exploited through a crafted X.509 certificate only if the target successfully verifies the certificate signature.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes.
2016-06-25 Security Analytics 7.0 is vulnerable to CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, and CVE-2016-2109. A fix will not be provided. Please upgrade to the latest version with the vulnerability fixes.
2016-06-24 A fix for PacketShaper S-Series 11.5 is available in 11.5.3.2. A fix for PolicyCenter S-Series is available in 1.1.2.2.
2016-06-21 A fix for ProxySG 6.6 is available in 6.6.4.1.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-06-11 A fix for ProxySG 6.5 is available in 6.5.9.8.
2016-06-07 A fix for SSLV 3.9 is available in 3.9.3.6.
2016-06-03 A fix for MAA is available in 4.2.9.
2016-05-26 Added hardware platform information. Clarified that Android Mobile Agent, Client Connector for Windows, ProxyClient for Windows, and Unified Agent are vulnerable to CVE-2016-2107.
2016-05-25 Security Analytics 6.6 and 7.1 are vulnerable to CVE-2016-2107 on all hardware platforms. Security Analytics 7.0 is under investigation. Fixes are available for Security Analytics 6.6 and 7.1 through RPM patches available from customer support.
2016-05-12 A fix for SSLV 3.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-05-11 Fixes for CVE-2016-2108 are available in PacketShaper 9.2.13p1 and PolicyCenter 9.2.13p1.
2016-05-09 initial public release

Related

fortinet 1
openvas 27
arista 1
huawei 1
archlinux 2
ibm 63
nessus 42
debian 2
cisco 1
f5 4
nodejsblog 1
freebsd 1
slackware 1
osv 3
suse 13
altlinux 5
amazon 1
ubuntu 1
paloalto 1
freebsd_advisory 1
cloudfoundry 1
aix 1
mageia 1
fedora 5
redhat 3
oraclelinux 4
centos 2
citrix 1
thn 1
prion 1
alpinelinux 1
openssl 1
veracode 1
cve 1
ubuntucve 1
debiancve 1
gentoo 1
fortinet
fortinet
OpenSSL Advisory - May 2016
2016-09-22 00:00:00
openvas
openvas
Splunk Enterprise Multiple OpenSSL Vulnerabilities
2016-09-19 00:00:00
openSUSE: Security Advisory for openssl (openSUSE-SU-2016:1238-1)
2016-05-06 00:00:00
Debian Security Advisory DSA 3566-1 (openssl - security update)
2016-05-03 00:00:00
arista
arista
Security Advisory 0020
2016-05-06 00:00:00
huawei
huawei
Security Advisory - Multiple Vulnerabilities in OpenSSL in May 2016
2016-07-06 00:00:00
archlinux
archlinux
openssl: multiple issues
2016-05-04 00:00:00
lib32-openssl: multiple issues
2016-05-04 00:00:00
ibm
ibm
Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Cognos Controller
2018-06-15 22:44:22
Security Bulletin: Multiple Vulnerabilities in OpenSSL affect Rational Insight
2018-06-17 05:14:27
Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM Security Network Controller
2018-06-16 21:45:31
nessus
nessus
FreeBSD : OpenSSL -- multiple vulnerabilities (01d729ca-1143-11e6-b55e-b499baebfeaf)
2016-05-04 00:00:00
Slackware 14.0 / 14.1 / current : openssl (SSA:2016-124-01)
2016-05-04 00:00:00
Debian DLA-456-1 : openssl security update
2016-05-04 00:00:00
debian
debian
[SECURITY] [DSA 3566-1] openssl security update
2016-05-03 18:24:21
[SECURITY] [DLA 456-1] openssl security update
2016-05-03 20:53:46
cisco
cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016
2016-05-04 19:30:00
f5
f5
K07538415 : Multiple OpenSSL vulnerabilities
2016-05-04 00:00:00
SOL07538415 - Multiple OpenSSL vulnerabilities
2016-05-03 00:00:00
K93600123 : OpenSSL vulnerability CVE-2016-2107
2016-05-07 00:00:00
nodejsblog
nodejsblog
OpenSSL updates, 1.0.1t and 1.0.2h
2016-05-02 00:00:00
freebsd
freebsd
OpenSSL -- multiple vulnerabilities
2016-05-03 00:00:00
slackware
slackware
[slackware-security] openssl
2016-05-03 21:05:31
osv
osv
openssl - security update
2016-05-03 00:00:00
openssl - security update
2016-05-03 00:00:00
CVE-2016-2107
2016-05-05 01:59:00
suse
suse
Security update for openssl (important)
2016-05-04 18:09:44
Security update for openssl (important)
2016-05-05 13:08:31
Security update for openssl1 (important)
2016-05-03 22:08:22
altlinux
altlinux
Security fix for the ALT Linux 9 package openssl1.1 version 1.0.2h-alt1
2016-05-03 00:00:00
Security fix for the ALT Linux 10 package openssl1.1 version 1.0.2h-alt1
2016-05-03 00:00:00
Security fix for the ALT Linux 8 package openssl10 version 1.0.2h-alt1
2016-05-04 00:00:00
amazon
amazon
Important: openssl
2016-05-03 10:30:00
ubuntu
ubuntu
OpenSSL vulnerabilities
2016-05-03 00:00:00
paloalto
paloalto
OpenSSL Vulnerabilities
2016-09-02 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:17.openssl
2016-05-04 00:00:00
cloudfoundry
cloudfoundry
USN-2959-1 OpenSSL vulnerabilities | Cloud Foundry
2016-05-06 00:00:00
aix
aix
Vulnerabilities in OpenSSL affect AIX
2016-07-12 14:14:43
mageia
mageia
Updated openssl packages fix security vulnerability
2016-05-08 00:22:48
fedora
fedora
[SECURITY] Fedora 24 Update: openssl-1.0.2h-1.fc24
2016-05-07 12:15:14
[SECURITY] Fedora 23 Update: openssl-1.0.2h-1.fc23
2016-05-04 18:54:36
[SECURITY] Fedora 22 Update: openssl-1.0.1k-15.fc22
2016-05-10 17:58:11
redhat
redhat
(RHSA-2016:0722) Important: openssl security update
2016-05-09 04:44:04
(RHSA-2016:0996) Important: openssl security update
2016-05-10 07:00:21
(RHSA-2016:2073) Important: openssl security update
2016-10-18 06:21:20
oraclelinux
oraclelinux
openssl security update
2016-05-09 00:00:00
openssl-fips security update
2016-06-15 00:00:00
openssl security update
2016-05-13 00:00:00
centos
centos
openssl security update
2016-05-16 10:25:52
openssl security update
2016-05-09 08:40:50
citrix
citrix
Citrix XenServer 7.2 Multiple Security Updates
2018-03-29 04:00:00
thn
thn
High-Severity OpenSSL Vulnerability allows Hackers to Decrypt HTTPS Traffic
2016-05-04 23:31:00
prion
prion
Design/Logic Flaw
2016-05-05 01:59:00
alpinelinux
alpinelinux
CVE-2016-2107
2016-05-05 01:59:00
openssl
openssl
Vulnerability in OpenSSL CVE-2016-2107
2016-05-03 00:00:00
veracode
veracode
Padding Oracle Attack
2017-01-27 03:10:31
cve
cve
CVE-2016-2107
2016-05-05 01:59:00
ubuntucve
ubuntucve
CVE-2016-2107
2016-05-03 00:00:00
debiancve
debiancve
CVE-2016-2107
2016-05-05 01:59:00
gentoo
gentoo
OpenSSL: Multiple vulnerabilities
2016-12-07 00:00:00

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for SMNTC-1363
fortinet1openvas27arista1huawei1archlinux2ibm63nessus42debian2cisco1f54nodejsblog1freebsd1slackware1osv3suse13altlinux5amazon1ubuntu1paloalto1freebsd_advisory1cloudfoundry1aix1mageia1fedora5redhat3oraclelinux4centos2citrix1thn1prion1alpinelinux1openssl1veracode1cve1ubuntucve1debiancve1gentoo1