CVE-2016-8610 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2016-8610?

CVE-2016-8610 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-8610?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Debian Debian Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus.

Vulnerability Description

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Openssl	Openssl	>= 1.0.2, <= 1.0.2h
Debian	Debian Linux	8.0
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	7.3
Redhat	Enterprise Linux Server Eus	7.3
Redhat	Enterprise Linux Server Tus	7.3
Redhat	Enterprise Linux Workstation	6.0
Redhat	Jboss Enterprise Application Platform	6.0.0
Redhat	Enterprise Linux	6.0
Netapp	Cn1610 Firmware	-
Netapp	Cn1610	-
Netapp	Clustered Data Ontap Antivirus Connector	-
Netapp	Data Ontap	-
Netapp	Data Ontap Edge	-
Netapp	E-Series Santricity Os Controller	>= 11.0, <= 11.40
Netapp	Host Agent	-
Netapp	Oncommand Balance	-
Netapp	Oncommand Unified Manager	-
Netapp	Oncommand Workflow Automation	-

Related Weaknesses (CWE)

CWE-400

References

http://rhn.redhat.com/errata/RHSA-2017-0286.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0574.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-1415.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-1659.htmlThird Party Advisory
http://seclists.org/oss-sec/2016/q4/224Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/93841Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1037084Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:1413Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1414Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1658Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1801Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1802Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2493Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:2494Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610Issue TrackingPatchThird Party Advisory

FAQ

What is CVE-2016-8610?

CVE-2016-8610 is a vulnerability with a CVSS score of 7.5 (HIGH). A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote ...

How severe is CVE-2016-8610?

CVE-2016-8610 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-8610?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Debian Debian Linux, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Aus.