Vulnerability Name:

CVE-2016-3959 (CCN-112330)

Assigned:2016-04-05
Published:2016-04-05
Updated:2018-10-30
Summary:The Verify function in crypto/dsa/dsa.go in Go before 1.5.4 and 1.6.x before 1.6.1 does not properly check parameters passed to the big integer library, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted public key to a program that uses HTTPS client certificates or SSH server libraries.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-20
CWE-835
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2016-3959

Source: FEDORA
Type: UNKNOWN
FEDORA-2016-2940ad5550

Source: FEDORA
Type: UNKNOWN
FEDORA-2016-59c5e405e3

Source: FEDORA
Type: UNKNOWN
FEDORA-2016-2fcfc7670f

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2016:1331

Source: CCN
Type: RHSA-2016-1538
Moderate: golang security, bug fix, and enhancement update

Source: REDHAT
Type: UNKNOWN
RHSA-2016:1538

Source: CCN
Type: oss-sec Mailing List, Tue, 05 Apr 2016 17:19:31 +0000
CVE request - Go - DLL loading, Big int

Source: CCN
Type: oss-sec Mailing List, Tue, 5 Apr 2016 14:31:03 -0400 (EDT)
Re: CVE request - Go - DLL loading, Big int

Source: MLIST
Type: UNKNOWN
[oss-security] 20160405 CVE request - Go - DLL loading, Big int

Source: MLIST
Type: UNKNOWN
[oss-security] 20160405 Re: CVE request - Go - DLL loading, Big int

Source: XF
Type: UNKNOWN
go-cve20163959-dos(112330)

Source: CONFIRM
Type: UNKNOWN
https://go-review.googlesource.com/#/c/21533/

Source: CCN
Type: Go Web site
Patch 21533

Source: MLIST
Type: UNKNOWN
[golang-announce] 20160412 [security] Go 1.6.1 and 1.5.4 are released

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-3959

Vulnerable Configuration:Configuration 1:
  • cpe:/o:opensuse:leap:42.1:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:golang:go:1.6:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:fedoraproject:fedora:22:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:23:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:24:*:*:*:*:*:*:*

  • Configuration 4:
  • cpe:/a:golang:go:*:*:*:*:*:*:*:* (Version <= 1.5)

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:golang:go:1.5:*:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20163959
    V
    CVE-2016-3959
    2023-06-22
    oval:org.opensuse.security:def:8012
    P
    go-1.19-150000.3.26.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:112328
    P
    go-1.7.0-2.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112344
    P
    go1.9-1.9.7-11.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112329
    P
    go1.10-1.10.8-8.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112330
    P
    go1.11-1.11.13-10.5 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112331
    P
    go1.12-1.12.17-4.8 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:11164
    P
    Security update for postrsd (Moderate)
    2021-12-30
    oval:org.opensuse.security:def:11163
    P
    Security update for c-toxcore (Moderate)
    2021-12-30
    oval:org.opensuse.security:def:105859
    P
    Security update for java-11-openjdk (Important)
    2021-11-16
    oval:org.opensuse.security:def:105851
    P
    Security update for libvirt (Important)
    2021-10-27
    oval:org.opensuse.security:def:105849
    P
    Security update for dnsmasq (Moderate)
    2021-10-27
    oval:org.opensuse.security:def:105850
    P
    Security update for busybox (Important)
    2021-10-27
    oval:org.opensuse.security:def:105852
    P
    go1.12-1.12.17-4.8 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:11239
    P
    Security update for htmldoc (Important)
    2021-07-08
    oval:org.opensuse.security:def:11240
    P
    Security update for tor (Important)
    2021-07-08
    oval:org.opensuse.security:def:11231
    P
    Security update for chromium (Important)
    2021-06-28
    oval:org.opensuse.security:def:11230
    P
    Security update for live555 (Moderate)
    2021-06-28
    oval:org.opensuse.security:def:11912
    P
    libmspack0-0.4-14.4 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:11913
    P
    libmusicbrainz4-2.1.5-27.86 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:11890
    P
    libgssglue1-0.4-3.83 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:11891
    P
    libgypsy0-0.9-6.24 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:11189
    P
    Security update for libmysofa (Moderate)
    2021-03-22
    oval:org.opensuse.security:def:11188
    P
    Security update for connman (Moderate)
    2021-03-20
    oval:org.opensuse.security:def:11253
    P
    openstack-neutron-2014.2.2.dev26-3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:11252
    P
    openstack-cinder-2014.2.3.dev13-1.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:11054
    P
    libqt4-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10932
    P
    gnome-shell-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:11088
    P
    libwpd-0_10-10 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10962
    P
    libXi-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:11055
    P
    libquicktime-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10939
    P
    gtk2-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:11089
    P
    libxcb-composite0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:11007
    P
    libicu-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:11069
    P
    libssh-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10940
    P
    guile-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:11008
    P
    libid3tag-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10931
    P
    gnome-settings-daemon-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:11070
    P
    libssh2-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:10961
    P
    libXfont-devel on GA media (Moderate)
    2020-12-01
    oval:com.redhat.rhsa:def:20161538
    P
    RHSA-2016:1538: golang security, bug fix, and enhancement update (Moderate)
    2016-08-02
    oval:com.ubuntu.precise:def:20163959000
    V
    CVE-2016-3959 on Ubuntu 12.04 LTS (precise) - medium.
    2016-05-23
    oval:com.ubuntu.xenial:def:201639590000000
    V
    CVE-2016-3959 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-05-23
    oval:com.ubuntu.trusty:def:20163959000
    V
    CVE-2016-3959 on Ubuntu 14.04 LTS (trusty) - medium.
    2016-05-23
    oval:com.ubuntu.xenial:def:20163959000
    V
    CVE-2016-3959 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-05-23
    BACK
    opensuse leap 42.1
    golang go 1.6
    fedoraproject fedora 22
    fedoraproject fedora 23
    fedoraproject fedora 24
    golang go *
    golang go 1.5
    redhat enterprise linux server 7
    redhat enterprise linux server aus 7.2
    redhat enterprise linux server eus 7.2