CVE-2016-6304

Published on: 09/26/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:12 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Node.js from Nodejs contain the following vulnerability:

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

  • CVE-2016-6304 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE NONE HIGH

CVSS2 Score: 7.8 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE NONE COMPLETE

CVE References

Description Tags Link
Security updates for all active release lines, September 2016 | Node.js Third Party Advisory
nodejs.org
text/html
URL Logo CONFIRM nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1413
Vendor Advisory
www.openssl.org
text/plain
CONFIRM www.openssl.org/news/secadv/20160922.txt
Oracle Critical Patch Update - January 2018 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle Critical Patch Update - April 2018 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:1659
Splunk Enterprise 6.4.5 addresses multiple vulnerabilities | Splunk www.splunk.com
text/html
URL Logo CONFIRM www.splunk.com/view/SP-CAAAPUE
Oracle Linux Bulletin - October 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Oracle Critical Patch Update - October 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
McAfee Security Bulletin: Updates fix multiple OpenSSL vulnerabilities (CVE-2016-6304, CVE-2016-2183, CVE-2016-2182, and CVE-2016-7052) kc.mcafee.com
text/html
URL Logo CONFIRM kc.mcafee.com/corporate/index?page=content&id=SB10171
OpenSSL OCSP Status Request Extension Processing Error Lets Remote Authenticated Users Consume Excessive Memory Resources - SecurityTracker www.securitytracker.com
text/html
URL Logo SECTRACK 1036878
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:2494
OpenSSL CVE-2016-6304 Denial of Service Vulnerability cve.report (archive)
text/html
URL Logo BID 93150
OpenSSL: Multiple vulnerabilities (GLSA 201612-16) — Gentoo security security.gentoo.org
text/html
URL Logo GENTOO GLSA-201612-16
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1940
MySQL Multiple Flaws Let Remote Authenticated and Local Users Access Data, Deny Service, and Gain Elevated Privileges - SecurityTracker www.securitytracker.com
text/html
URL Logo SECTRACK 1037640
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1801
[R5] Nessus 6.9 Fixes Multiple Vulnerabilities - Security Advisory | Tenable Network Security www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2016-16
SA132 : OpenSSL Vulnerabilities 22-Sep-2016 and 26-Sep-2016 bto.bluecoat.com
text/html
URL Logo CONFIRM bto.bluecoat.com/security-advisory/sa132
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1414
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:2802
Splunk Enterprise 6.5.1 addresses multiple OpenSSL vulnerabilities | Splunk www.splunk.com
text/html
URL Logo CONFIRM www.splunk.com/view/SP-CAAAPSV
Oracle VM Server for x86 Bulletin - October 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
[R2] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory | Tenable Network Security www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2016-20
Juniper Networks - 2016-10 Security Bulletin: OpenSSL security updates kb.juniper.net
text/html
URL Logo CONFIRM kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:2493
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1658
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:1415
IBM Security Bulletin: Vulnerabilities in OpenSSL, OpenVPN and GNU glibc affect IBM Security Virtual Server Protection for VMware - United States web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www-01.ibm.com/support/docview.wss?uid=swg21995039
git.openssl.org Git - openssl.git/commit Issue Tracking
git.openssl.org
text/xml
URL Logo CONFIRM git.openssl.org/?p=openssl.git;a=commit;h=2c0d295e26306e15a92eb23a84a1802005c1c137
Oracle Critical Patch Update - July 2017 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
[R1] LCE 4.8.2 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory | Tenable Network Security www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2016-21
Oracle Critical Patch Update - October 2017 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
security.FreeBSD.org
text/plain
FREEBSD FreeBSD-SA-16:26
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1802
[security-announce] SUSE-SU-2016:2470-1: important: Security update for Third Party Advisory
lists.opensuse.org
text/html
URL Logo SUSE SUSE-SU-2016:2470

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationNodejsNode.jsAllAllAllAll
Operating
System
NovellSuse Linux Enterprise Module For Web Scripting12.0AllAllAll
Operating
System
NovellSuse Linux Enterprise Module For Web Scripting12.0AllAllAll
ApplicationOpensslOpenssl1.0.1AllAllAll
ApplicationOpensslOpenssl1.0.1beta1AllAll
ApplicationOpensslOpenssl1.0.1beta2AllAll
ApplicationOpensslOpenssl1.0.1beta3AllAll
ApplicationOpensslOpenssl1.0.1aAllAllAll
ApplicationOpensslOpenssl1.0.1bAllAllAll
ApplicationOpensslOpenssl1.0.1cAllAllAll
ApplicationOpensslOpenssl1.0.1dAllAllAll
ApplicationOpensslOpenssl1.0.1eAllAllAll
ApplicationOpensslOpenssl1.0.1fAllAllAll
ApplicationOpensslOpenssl1.0.1gAllAllAll
ApplicationOpensslOpenssl1.0.1hAllAllAll
ApplicationOpensslOpenssl1.0.1iAllAllAll
ApplicationOpensslOpenssl1.0.1jAllAllAll
ApplicationOpensslOpenssl1.0.1kAllAllAll
ApplicationOpensslOpenssl1.0.1lAllAllAll
ApplicationOpensslOpenssl1.0.1mAllAllAll
ApplicationOpensslOpenssl1.0.1nAllAllAll
ApplicationOpensslOpenssl1.0.1oAllAllAll
ApplicationOpensslOpenssl1.0.1pAllAllAll
ApplicationOpensslOpenssl1.0.1qAllAllAll
ApplicationOpensslOpenssl1.0.1rAllAllAll
ApplicationOpensslOpenssl1.0.1sAllAllAll
ApplicationOpensslOpenssl1.0.1tAllAllAll
ApplicationOpensslOpenssl1.0.2AllAllAll
ApplicationOpensslOpenssl1.0.2beta1AllAll
ApplicationOpensslOpenssl1.0.2beta2AllAll
ApplicationOpensslOpenssl1.0.2beta3AllAll
ApplicationOpensslOpenssl1.0.2aAllAllAll
ApplicationOpensslOpenssl1.0.2bAllAllAll
ApplicationOpensslOpenssl1.0.2cAllAllAll
ApplicationOpensslOpenssl1.0.2dAllAllAll
ApplicationOpensslOpenssl1.0.2eAllAllAll
ApplicationOpensslOpenssl1.0.2fAllAllAll
ApplicationOpensslOpenssl1.0.2hAllAllAll
ApplicationOpensslOpenssl1.1.0AllAllAll
ApplicationOpensslOpenssl1.0.1AllAllAll
ApplicationOpensslOpenssl1.0.1beta1AllAll
ApplicationOpensslOpenssl1.0.1beta2AllAll
ApplicationOpensslOpenssl1.0.1beta3AllAll
ApplicationOpensslOpenssl1.0.1aAllAllAll
ApplicationOpensslOpenssl1.0.1bAllAllAll
ApplicationOpensslOpenssl1.0.1cAllAllAll
ApplicationOpensslOpenssl1.0.1dAllAllAll
ApplicationOpensslOpenssl1.0.1eAllAllAll
ApplicationOpensslOpenssl1.0.1fAllAllAll
ApplicationOpensslOpenssl1.0.1gAllAllAll
ApplicationOpensslOpenssl1.0.1hAllAllAll
ApplicationOpensslOpenssl1.0.1iAllAllAll
ApplicationOpensslOpenssl1.0.1jAllAllAll
ApplicationOpensslOpenssl1.0.1kAllAllAll
ApplicationOpensslOpenssl1.0.1lAllAllAll
ApplicationOpensslOpenssl1.0.1mAllAllAll
ApplicationOpensslOpenssl1.0.1nAllAllAll
ApplicationOpensslOpenssl1.0.1oAllAllAll
ApplicationOpensslOpenssl1.0.1pAllAllAll
ApplicationOpensslOpenssl1.0.1qAllAllAll
ApplicationOpensslOpenssl1.0.1rAllAllAll
ApplicationOpensslOpenssl1.0.1sAllAllAll
ApplicationOpensslOpenssl1.0.1tAllAllAll
ApplicationOpensslOpenssl1.0.2AllAllAll
ApplicationOpensslOpenssl1.0.2beta1AllAll
ApplicationOpensslOpenssl1.0.2beta2AllAll
ApplicationOpensslOpenssl1.0.2beta3AllAll
ApplicationOpensslOpenssl1.0.2aAllAllAll
ApplicationOpensslOpenssl1.0.2bAllAllAll
ApplicationOpensslOpenssl1.0.2cAllAllAll
ApplicationOpensslOpenssl1.0.2dAllAllAll
ApplicationOpensslOpenssl1.0.2eAllAllAll
ApplicationOpensslOpenssl1.0.2fAllAllAll
ApplicationOpensslOpenssl1.0.2hAllAllAll
ApplicationOpensslOpenssl1.1.0AllAllAll
  • cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:novell:suse_linux_enterprise_module_for_web_scripting:12.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:novell:suse_linux_enterprise_module_for_web_scripting:12.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1m:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1n:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1o:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1p:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1q:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1r:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1s:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1t:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1m:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1n:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1o:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1p:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1q:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1r:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1s:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.1t:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*:
  • cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*: