| Vulnerability Name: | CVE-2016-7053 (CCN-118746) | ||||||||||||||||||||||||
| Assigned: | 2016-11-10 | ||||||||||||||||||||||||
| Published: | 2016-11-10 | ||||||||||||||||||||||||
| Updated: | 2017-07-28 | ||||||||||||||||||||||||
| Summary: | In OpenSSL 1.1.0 before 1.1.0c, applications parsing invalid CMS structures can crash with a NULL pointer dereference. This is caused by a bug in the handling of the ASN.1 CHOICE type in OpenSSL 1.1.0 which can result in a NULL value being passed to the structure callback if an attempt is made to free certain invalid encodings. Only CHOICE structures using a callback which do not handle NULL value are affected. | ||||||||||||||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
| ||||||||||||||||||||||||
| Vulnerability Type: | CWE-476 | ||||||||||||||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2016-7053 Source: CCN Type: IBM Security Bulletin T1024507 (Flex System Manager Node) Multiple vulnerabilities in OpenSSL affect IBM Flex System Manager (FSM) Storage Manager Install Anywhere (SMIA) configuration tool Source: CCN Type: IBM Security Bulletin S1010466 (Network Advisor) Open Source OpenSSL Vulnerabilities affect IBM Network Advisor Source: CCN Type: IBM Security Bulletin 1996275 (InfoSphere Master Data Management) Multiple vulnerabilities in OpenSSL affects IBM InfoSphere Master Data Management Source: CCN Type: IBM Security Bulletin 1998755 (MessageSight) Multiple Vulnerabilities in OpenSSL affect IBM MessageSight (CVE-2016-7053, CVE-2016-7054, CVE-2016-7055) Source: BID Type: Third Party Advisory, VDB Entry 94244 Source: CCN Type: BID-94244 OpenSSL CVE-2016-7053 NULL Pointer Dereference Denial of Service Vulnerability Source: SECTRACK Type: UNKNOWN 1037261 Source: XF Type: UNKNOWN openssl-cve20167053-dos(118746) Source: CONFIRM Type: UNKNOWN https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03744en_us Source: CCN Type: Cisco Security Advisory cisco-sa-20161114-openssl Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 Source: CCN Type: OpenSSL Security Advisory [10 Nov 2016] OpenSSL Security Advisory [10 Nov 2016] Source: CONFIRM Type: Vendor Advisory https://www.openssl.org/news/secadv/20161110.txt | ||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||