{ "threat_severity" : "Important", "public_date" : "2016-05-03T00:00:00Z", "bugzilla" : { "description" : "openssl: Memory corruption in the ASN.1 encoder", "id" : "1331402", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1331402" }, "cvss" : { "cvss_base_score" : "5.1", "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "5.6", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the \"negative zero\" issue.", "A flaw was found in the way OpenSSL encoded certain ASN.1 data structures. An attacker could use this flaw to create a specially crafted certificate which, when verified or re-encoded by OpenSSL, could cause it to crash, or execute arbitrary code using the permissions of the user running an application compiled against the OpenSSL library." ], "acknowledgement" : "Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges David Benjamin (Google), Hanno Böck, and Huzaifa Sidhpurwala (Red Hat) as the original reporters.", "affected_release" : [ { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.23-102.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_auth_kerb-0:5.4-35.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_bmx-0:0.9.6-14.GA.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.5-13.Final_redhat_1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_jk-0:1.2.41-14.redhat_1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_rt-0:2.4.1-16.GA.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_security-0:2.9.1-18.GA.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-nghttp2-0:1.12.0-9.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0193", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-openssl-1:1.0.2h-12.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.23-102.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_auth_kerb-0:5.4-35.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_bmx-0:0.9.6-14.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.5-13.Final_redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.41-14.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_rt-0:2.4.1-16.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.1-18.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.12.0-9.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2017-01-25T00:00:00Z", "advisory" : "RHSA-2017:0194", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-1:1.0.2h-12.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 5", "release_date" : "2016-05-31T00:00:00Z", "advisory" : "RHSA-2016:1137", "cpe" : "cpe:/o:redhat:enterprise_linux:5", "package" : "openssl-0:0.9.8e-40.el5_11" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-05-10T00:00:00Z", "advisory" : "RHSA-2016:0996", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "openssl-0:1.0.1e-48.el6_8.1" }, { "product_name" : "Red Hat Enterprise Linux 6.7 Extended Update Support", "release_date" : "2016-10-18T00:00:00Z", "advisory" : "RHSA-2016:2073", "cpe" : "cpe:/o:redhat:rhel_eus:6.7", "package" : "openssl-0:1.0.1e-42.el6_7.5" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-05-09T00:00:00Z", "advisory" : "RHSA-2016:0722", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "openssl-1:1.0.1e-51.el7_2.5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.4", "release_date" : "2016-10-12T00:00:00Z", "advisory" : "RHSA-2016:2056", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6.4", "package" : "openssl" }, { "product_name" : "Text-Only JBCS", "release_date" : "2016-12-15T00:00:00Z", "advisory" : "RHSA-2016:2957", "cpe" : "cpe:/a:redhat:jboss_core_services:1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 4", "fix_state" : "Will not fix", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:4" }, { "product_name" : "Red Hat Enterprise Linux 4", "fix_state" : "Will not fix", "package_name" : "openssl096b", "cpe" : "cpe:/o:redhat:enterprise_linux:4" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "openssl097a", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "openssl098e", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "openssl098e", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Not affected", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Not affected", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 3", "fix_state" : "Fix deferred", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-2108\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-2108\nhttps://openssl.org/news/secadv/20160503.txt" ], "name" : "CVE-2016-2108", "csaw" : false }