Is Spectrum affected with these OpenSSL vulnerabilities?

Document ID : KB000046272
Last Modified Date : 14/02/2018
Show Technical Document Details

Question: 

Is Spectrum affected with these OpenSSL vulnerabilities?

1. CVE-2016-2108 - Memory corruption in the ASN.1 encoder (Severity: High)

2. CVE-2016-2107 - Padding oracle in AES-NI CBC MAC check (Severity: High)

3. CVE-2016-2105 - EVP_EncodeUpdate overflow (Severity: Low)

4. CVE-2016-2106 - EVP_EncryptUpdate overflow (Severity: Low)

5. CVE-2016-2109 - ASN.1 BIO excessive memory allocation (Severity: Low)

6. CVE-2016-2176 - EBCDIC overread (Severity: Low)

Answer:

Currently, we are aware that following supported version of Spectrum is affected with these OpenSSL vulnerabilities.

9.3

9.4, 9.4.1, 9.4.2, 9.4.3

10.0, 10.1

We are targeting to fix this vulnerability on Spectrum 10.2 which will be in the second half of 2016.

Additional Information:

1. CVE-2016-2176: Affected OpenSSL version: before 1.0.1t and 1.0.2 before 1.0.2h

2. CVE-2016-2109: Affected OpenSSL version: before 1.0.1t and 1.0.2 before 1.0.2h

3. CVE-2016-2106: Affected OpenSSL version: before 1.0.1t and 1.0.2 before 1.0.2h

4. CVE-2016-2107: Affected OpenSSL version: before 1.0.1t and 1.0.2 before 1.0.2h

5. CVE-2016-2105: Affected OpenSSL version: before 1.0.1t and 1.0.2 before 1.0.2h

 

6. CVE-2016-2108: Affected OpenSSL version: before 1.0.1o and 1.0.2 before 1.0.2c