Memory corruption in the ASN.1 encoder

A memory corruption vulnerability has been detected for OpenSSL ASN.1 encoder. This vulnerability is a combination of two bugs, neither which individually has security impact but together, they allow the attacker to execute a malicious code. The exploitation takes place using malformed digital certificates signed by trusted certificate authorities.

This vulnerability affects systems whose inbound connections do not terminate at the ACE Load Balancers. If the inbound connections terminate at the ACE Load Balancers, the risk of being impacted by this vulnerability is low.

Severity
High

CVE Number
CVE-2016-2108

Recommended Action

  • OpenSSL 1.0.2 users should upgrade to 1.0.2c
  • OpenSSL 1.0.1 users should upgrade to 1.0.1o

More Information
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2108