Multiple Vulnerabilities in OpenSSL

Advisory ID: 16-0013
Publish Date: 2016-07-05
Revision: 1.01

Summary

Multiple vulnerabilities have been identified in specific versions of OpenSSL.

Detailed Description

The following CVEs have been issued against specific versions of the OpenSSL 1.0.1 and 1.0.2 cryptographic libraries:

CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176

Four of these vulnerabilities are noted by the CVE as being of moderate or high risk:

CVE-2016-0799
The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842.

CVE-2016-2108
The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue.

CVE-2016-2109
The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding.

CVE-2016-2842
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799.

Affected Products

Mitel is not aware of any specific products being vulnerable. However, all Linux and MSL-based products that include the OpenSSL library are potentially affected.

Security Bulletins are being issued for the following products:

This list will be updated as additional Security Bulletins are published.

Products Under Investigation

All Enterprise products are being evaluated for these vulnerabilities. This advisory will be updated with additional information as it becomes available.

Products not Affected

OpenSSL is not included in Mitel products for use on Microsoft Windows.

Risk Assessment

The noted vulnerabilities carry varied levels of risk, ranging from low to high. Please refer to the product specific Security Bulletins for additional statements of risk.

Mitigation / Recommended Action

Newer product releases introduce security fixes for these and other identified issues. Customers are advised to update their Mitel products to newer releases when available. Please refer to the product-specific Security Bulletins for product-specific details.For Operating System platforms not provided or managed by Mitel, customers are advised to contact their Operating System vendor for further guidance.

External References

https://openssl.org/news/secadv/20160503.txt

Related CVEs

CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176
CVE-2016-2842