CVSS v2 Base Score
An overflow can occur in the EVP_EncryptUpdate() function. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block, then a length check overflow can occur resulting in a heap corruption.
Find out more about CVE-2016-2106 from MITRE CVE directory and NIST NVD.
An analysis of all OpenSSL internal usage of the EVP_EncrypUpdate() function performed by the OpenSSL development team has concluded that there are no internal code paths that can trigger the vulnerability.
A similar analysis of EVP_EncrptUpdate() use in BoKS also comes to the conclusion that there are no code paths that can trigger the vulnerability. Thus BoKS is not vulnerable.
No FoxT Products are vulnerable.
Still have questions? We can help. Submit a case to Technical Support.