Advisory ID

12444

Release date

2016-05-10

Last Updated

2015-05-10

Issue Severity

-

Source

Source

USCERT/NIST

Release date

2016-05-06

CVSS v2 Base Score

5.0(MEDIUM)

Problem Description

An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block, then a length check overflow can occur resulting in a heap corruption.

Find out more about CVE-2016-2106 from MITRE CVE directory and NIST NVD.

Impact

An analysis of all OpenSSL internal usage of the EVP_EncrypUpdate() function performed by the OpenSSL development team has concluded that there are no internal code paths that can trigger the vulnerability.

A similar analysis of EVP_EncrptUpdate() use in BoKS also comes to the conclusion that there are no code paths that can trigger the vulnerability. Thus BoKS is not vulnerable.

Affected Products

No FoxT Products are vulnerable.

Workaround

N/A

Obtaining Fixed Software

N/A

External References

OpenSSL Security Advisory








Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018