CVE-2016-6304

Published on: 09/26/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:12 PM UTC

CVE-2016-6304

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Node.js from Nodejs contain the following vulnerability:

Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.

CVE-2016-6304 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
NETWORK	LOW	NONE	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	NONE	NONE	HIGH

CVSS2 Score: 7.8 - HIGH

Access Vector^ⓘ	Access Complexity	Authentication
NETWORK	LOW	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
NONE	NONE	COMPLETE

CVE References

Description	Tags ^ⓘ	Link
Security updates for all active release lines, September 2016 \| Node.js	Third Party Advisory nodejs.org text/html	CONFIRM nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Red Hat Customer Portal	access.redhat.com text/html	REDHAT RHSA-2017:1413
	Vendor Advisory www.openssl.org text/plain	CONFIRM www.openssl.org/news/secadv/20160922.txt
Oracle Critical Patch Update - January 2018	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle Critical Patch Update - April 2018	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Red Hat Customer Portal	web.archive.org text/html Inactive LinkNot Archived	REDHAT RHSA-2017:1659
Splunk Enterprise 6.4.5 addresses multiple vulnerabilities \| Splunk	www.splunk.com text/html	CONFIRM www.splunk.com/view/SP-CAAAPUE
Oracle Linux Bulletin - October 2016	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
Oracle Critical Patch Update - October 2016	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
McAfee Security Bulletin: Updates fix multiple OpenSSL vulnerabilities (CVE-2016-6304, CVE-2016-2183, CVE-2016-2182, and CVE-2016-7052)	kc.mcafee.com text/html	CONFIRM kc.mcafee.com/corporate/index?page=content&id=SB10171
OpenSSL OCSP Status Request Extension Processing Error Lets Remote Authenticated Users Consume Excessive Memory Resources - SecurityTracker	www.securitytracker.com text/html	SECTRACK 1036878
Red Hat Customer Portal	access.redhat.com text/html	REDHAT RHSA-2017:2494
OpenSSL CVE-2016-6304 Denial of Service Vulnerability	cve.report (archive) text/html	BID 93150
OpenSSL: Multiple vulnerabilities (GLSA 201612-16) — Gentoo security	security.gentoo.org text/html	GENTOO GLSA-201612-16
Red Hat Customer Portal	web.archive.org text/html Inactive LinkNot Archived	REDHAT RHSA-2016:1940
MySQL Multiple Flaws Let Remote Authenticated and Local Users Access Data, Deny Service, and Gain Elevated Privileges - SecurityTracker	www.securitytracker.com text/html	SECTRACK 1037640
Red Hat Customer Portal	access.redhat.com text/html	REDHAT RHSA-2017:1801
[R5] Nessus 6.9 Fixes Multiple Vulnerabilities - Security Advisory \| Tenable Network Security	www.tenable.com text/html	CONFIRM www.tenable.com/security/tns-2016-16
SA132 : OpenSSL Vulnerabilities 22-Sep-2016 and 26-Sep-2016	bto.bluecoat.com text/html	CONFIRM bto.bluecoat.com/security-advisory/sa132
Red Hat Customer Portal	access.redhat.com text/html	REDHAT RHSA-2017:1414
Red Hat Customer Portal	web.archive.org text/html Inactive LinkNot Archived	REDHAT RHSA-2016:2802
Splunk Enterprise 6.5.1 addresses multiple OpenSSL vulnerabilities \| Splunk	www.splunk.com text/html	CONFIRM www.splunk.com/view/SP-CAAAPSV
Oracle VM Server for x86 Bulletin - October 2016	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html
[R2] PVS 5.2.0 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory \| Tenable Network Security	www.tenable.com text/html	CONFIRM www.tenable.com/security/tns-2016-20
Juniper Networks - 2016-10 Security Bulletin: OpenSSL security updates	kb.juniper.net text/html	CONFIRM kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
Red Hat Customer Portal	access.redhat.com text/html	REDHAT RHSA-2017:2493
Red Hat Customer Portal	access.redhat.com text/html	REDHAT RHSA-2017:1658
Red Hat Customer Portal	web.archive.org text/html Inactive LinkNot Archived	REDHAT RHSA-2017:1415
IBM Security Bulletin: Vulnerabilities in OpenSSL, OpenVPN and GNU glibc affect IBM Security Virtual Server Protection for VMware - United States	web.archive.org text/html Inactive LinkNot Archived	CONFIRM www-01.ibm.com/support/docview.wss?uid=swg21995039
git.openssl.org Git - openssl.git/commit	Issue Tracking git.openssl.org text/xml	CONFIRM git.openssl.org/?p=openssl.git;a=commit;h=2c0d295e26306e15a92eb23a84a1802005c1c137
Oracle Critical Patch Update - July 2017	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
[R1] LCE 4.8.2 Fixes Multiple Third-party Library Vulnerabilities - Security Advisory \| Tenable Network Security	www.tenable.com text/html	CONFIRM www.tenable.com/security/tns-2016-21
Oracle Critical Patch Update - October 2017	www.oracle.com text/html	CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
	security.FreeBSD.org text/plain	FREEBSD FreeBSD-SA-16:26
Red Hat Customer Portal	access.redhat.com text/html	REDHAT RHSA-2017:1802
[security-announce] SUSE-SU-2016:2470-1: important: Security update for	Third Party Advisory lists.opensuse.org text/html	SUSE SUSE-SU-2016:2470

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Nodejs	Node.js	All	All	All	All
Operating System	Novell	Suse Linux Enterprise Module For Web Scripting	12.0	All	All	All
Operating System	Novell	Suse Linux Enterprise Module For Web Scripting	12.0	All	All	All
Application	Openssl	Openssl	1.0.1	All	All	All
Application	Openssl	Openssl	1.0.1	beta1	All	All
Application	Openssl	Openssl	1.0.1	beta2	All	All
Application	Openssl	Openssl	1.0.1	beta3	All	All
Application	Openssl	Openssl	1.0.1a	All	All	All
Application	Openssl	Openssl	1.0.1b	All	All	All
Application	Openssl	Openssl	1.0.1c	All	All	All
Application	Openssl	Openssl	1.0.1d	All	All	All
Application	Openssl	Openssl	1.0.1e	All	All	All
Application	Openssl	Openssl	1.0.1f	All	All	All
Application	Openssl	Openssl	1.0.1g	All	All	All
Application	Openssl	Openssl	1.0.1h	All	All	All
Application	Openssl	Openssl	1.0.1i	All	All	All
Application	Openssl	Openssl	1.0.1j	All	All	All
Application	Openssl	Openssl	1.0.1k	All	All	All
Application	Openssl	Openssl	1.0.1l	All	All	All
Application	Openssl	Openssl	1.0.1m	All	All	All
Application	Openssl	Openssl	1.0.1n	All	All	All
Application	Openssl	Openssl	1.0.1o	All	All	All
Application	Openssl	Openssl	1.0.1p	All	All	All
Application	Openssl	Openssl	1.0.1q	All	All	All
Application	Openssl	Openssl	1.0.1r	All	All	All
Application	Openssl	Openssl	1.0.1s	All	All	All
Application	Openssl	Openssl	1.0.1t	All	All	All
Application	Openssl	Openssl	1.0.2	All	All	All
Application	Openssl	Openssl	1.0.2	beta1	All	All
Application	Openssl	Openssl	1.0.2	beta2	All	All
Application	Openssl	Openssl	1.0.2	beta3	All	All
Application	Openssl	Openssl	1.0.2a	All	All	All
Application	Openssl	Openssl	1.0.2b	All	All	All
Application	Openssl	Openssl	1.0.2c	All	All	All
Application	Openssl	Openssl	1.0.2d	All	All	All
Application	Openssl	Openssl	1.0.2e	All	All	All
Application	Openssl	Openssl	1.0.2f	All	All	All
Application	Openssl	Openssl	1.0.2h	All	All	All
Application	Openssl	Openssl	1.1.0	All	All	All
Application	Openssl	Openssl	1.0.1	All	All	All
Application	Openssl	Openssl	1.0.1	beta1	All	All
Application	Openssl	Openssl	1.0.1	beta2	All	All
Application	Openssl	Openssl	1.0.1	beta3	All	All
Application	Openssl	Openssl	1.0.1a	All	All	All
Application	Openssl	Openssl	1.0.1b	All	All	All
Application	Openssl	Openssl	1.0.1c	All	All	All
Application	Openssl	Openssl	1.0.1d	All	All	All
Application	Openssl	Openssl	1.0.1e	All	All	All
Application	Openssl	Openssl	1.0.1f	All	All	All
Application	Openssl	Openssl	1.0.1g	All	All	All
Application	Openssl	Openssl	1.0.1h	All	All	All
Application	Openssl	Openssl	1.0.1i	All	All	All
Application	Openssl	Openssl	1.0.1j	All	All	All
Application	Openssl	Openssl	1.0.1k	All	All	All
Application	Openssl	Openssl	1.0.1l	All	All	All
Application	Openssl	Openssl	1.0.1m	All	All	All
Application	Openssl	Openssl	1.0.1n	All	All	All
Application	Openssl	Openssl	1.0.1o	All	All	All
Application	Openssl	Openssl	1.0.1p	All	All	All
Application	Openssl	Openssl	1.0.1q	All	All	All
Application	Openssl	Openssl	1.0.1r	All	All	All
Application	Openssl	Openssl	1.0.1s	All	All	All
Application	Openssl	Openssl	1.0.1t	All	All	All
Application	Openssl	Openssl	1.0.2	All	All	All
Application	Openssl	Openssl	1.0.2	beta1	All	All
Application	Openssl	Openssl	1.0.2	beta2	All	All
Application	Openssl	Openssl	1.0.2	beta3	All	All
Application	Openssl	Openssl	1.0.2a	All	All	All
Application	Openssl	Openssl	1.0.2b	All	All	All
Application	Openssl	Openssl	1.0.2c	All	All	All
Application	Openssl	Openssl	1.0.2d	All	All	All
Application	Openssl	Openssl	1.0.2e	All	All	All
Application	Openssl	Openssl	1.0.2f	All	All	All
Application	Openssl	Openssl	1.0.2h	All	All	All
Application	Openssl	Openssl	1.1.0	All	All	All

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*:
cpe:2.3:o:novell:suse_linux_enterprise_module_for_web_scripting:12.0:*:*:*:*:*:*:*:
cpe:2.3:o:novell:suse_linux_enterprise_module_for_web_scripting:12.0:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1m:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1n:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1o:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1p:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1q:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1r:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1s:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1t:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1m:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1n:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1o:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1p:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1q:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1r:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1s:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.1t:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE