CVE-2016-2179 (High) detected in opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

[mend-bolt-for-github[bot]]

CVE-2016-2179 - High Severity Vulnerability

Vulnerable Libraries - opensslOpenSSL_1_0_1g, opensslOpenSSL_1_0_1g

Vulnerability Details

The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c.

Publish Date: 2016-09-16

URL: CVE-2016-2179

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/secadv/20160922.txt

Release Date: 2016-09-16

Fix Resolution: 1.0.1u,1.0.2i

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-bolt-for-github[bot]]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.