CVE-2016-8610
HIGHCVSS 7.5/10EPSS 39.66%
Last modified
CVE-2016-8610 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.. EPSS estimates a 39.66% chance of exploitation in the next 30 days.
Description
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | >= 1.0.2, <= 1.0.2h |
| Openssl | Openssl | 0.9.8 |
| Openssl | Openssl | 1.0.1 |
| Openssl | Openssl | 1.1.0 |
| Debian | Debian Linux | 8.0 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Desktop | 7.0 |
| Redhat | Enterprise Linux Server | 6.0 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Server Aus | 7.3 |
| Redhat | Enterprise Linux Server Aus | 7.4 |
| Redhat | Enterprise Linux Server Aus | 7.6 |
| Redhat | Enterprise Linux Server Eus | 7.3 |
| Redhat | Enterprise Linux Server Eus | 7.4 |
| Redhat | Enterprise Linux Server Eus | 7.5 |
| Redhat | Enterprise Linux Server Eus | 7.6 |
| Redhat | Enterprise Linux Server Tus | 7.3 |
| Redhat | Enterprise Linux Server Tus | 7.6 |
| Redhat | Enterprise Linux Workstation | 6.0 |
| Redhat | Enterprise Linux Workstation | 7.0 |
| Redhat | Jboss Enterprise Application Platform | 6.0.0 |
| Redhat | Jboss Enterprise Application Platform | 6.4.0 |
| Netapp | Cn1610 Firmware | All versions |
| Netapp | Clustered Data Ontap Antivirus Connector | All versions |
| Netapp | Data Ontap | All versions |
| Netapp | Data Ontap Edge | All versions |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.40 |
| Netapp | Host Agent | All versions |
| Netapp | Oncommand Balance | All versions |
| Netapp | Oncommand Unified Manager | All versions |
| Netapp | Oncommand Workflow Automation | All versions |
| Netapp | Ontap Select Deploy | All versions |
| Netapp | Service Processor | All versions |
| Netapp | Smi-S Provider | All versions |
| Netapp | Snapcenter Server | All versions |
| Netapp | Snapdrive | All versions |
| Netapp | Storagegrid | All versions |
| Netapp | Storagegrid Webscale | All versions |
| Netapp | Clustered Data Ontap | All versions |
| Paloaltonetworks | Pan-Os | <= 6.1.17 |
| Paloaltonetworks | Pan-Os | >= 7.0.0, <= 7.0.15 |
| Paloaltonetworks | Pan-Os | >= 7.1.0, <= 7.1.10 |
| Oracle | Adaptive Access Manager | 11.1.2.3.0 |
| Oracle | Application Testing Suite | 13.3.0.1 |
| Oracle | Communications Analytics | 12.1.1 |
| Oracle | Communications Ip Service Activator | 7.3.4 |
| Oracle | Communications Ip Service Activator | 7.4.0 |
| Oracle | Core Rdbms | 11.2.0.4 |
| Oracle | Core Rdbms | 12.1.0.2 |
| Oracle | Core Rdbms | 12.2.0.1 |
Showing 50 of 78 affected configurations. See NVD for the full list.
References
- http://rhn.redhat.com/errata/RHSA-2017-0286.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0574.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-1415.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-1659.htmlThird Party Advisory
- http://seclists.org/oss-sec/2016/q4/224Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/93841Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1037084Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:1413Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1414Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1658Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1801Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1802Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2493Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2494Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610Issue Tracking, Patch, Third Party Advisory
- https://security.360.cn/cve/CVE-2016-8610/Third Party Advisory
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.ascThird Party Advisory
- https://security.netapp.com/advisory/ntap-20171130-0001/Third Party Advisory
- https://security.paloaltonetworks.com/CVE-2016-8610Third Party Advisory
- https://www.debian.org/security/2017/dsa-3773Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0286.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-0574.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-1415.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2017-1659.htmlThird Party Advisory
- http://seclists.org/oss-sec/2016/q4/224Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/93841Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1037084Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2017:1413Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1414Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1658Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1801Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:1802Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2493Third Party Advisory
- https://access.redhat.com/errata/RHSA-2017:2494Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610Issue Tracking, Patch, Third Party Advisory
- https://security.360.cn/cve/CVE-2016-8610/Third Party Advisory
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.ascThird Party Advisory
- https://security.netapp.com/advisory/ntap-20171130-0001/Third Party Advisory
- https://security.paloaltonetworks.com/CVE-2016-8610Third Party Advisory
- https://www.debian.org/security/2017/dsa-3773Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2020.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatch, Third Party Advisory
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2016-8610?
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.
How severe is CVE-2016-8610?
CVE-2016-8610 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 39.66% probability of exploitation in the next 30 days.
How do I fix CVE-2016-8610?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2016-8610?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST