Vulnerability Note VU#396440
MatrixSSL contains multiple vulnerabilities
MatrixSSL, version 3.8.5 and earlier, contains heap overflow, out-of-bounds read, and unallocated memory free operation vulnerabilities.
CWE-122: Heap-based Buffer Overflow - CVE-2016-6890
The Subject Alt Name field of X.509 certificates is not properly parsed. A specially crafted certificate may result in a heap-based buffer overflow and arbitrary code execution.
By causing a server to parse a specially crafted X.509 certificate, a remote, unauthenticated attacker may be able to create a denial of service condition or execute arbitrary code in the context of the SSL stack.
Apply an update
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|MatrixSSL||Affected||26 Aug 2016||11 Oct 2016|
|CoreOS||Not Affected||11 Oct 2016||13 Oct 2016|
|Lenovo||Not Affected||11 Oct 2016||14 Oct 2016|
|ACCESS||Unknown||11 Oct 2016||11 Oct 2016|
|Alcatel-Lucent||Unknown||11 Oct 2016||11 Oct 2016|
|Apple||Unknown||11 Oct 2016||11 Oct 2016|
|Arch Linux||Unknown||11 Oct 2016||11 Oct 2016|
|Arista Networks, Inc.||Unknown||11 Oct 2016||11 Oct 2016|
|Aruba Networks||Unknown||11 Oct 2016||11 Oct 2016|
|AT&T||Unknown||11 Oct 2016||11 Oct 2016|
|Avaya, Inc.||Unknown||11 Oct 2016||11 Oct 2016|
|Barracuda Networks||Unknown||11 Oct 2016||11 Oct 2016|
|Belkin, Inc.||Unknown||11 Oct 2016||11 Oct 2016|
|Blue Coat Systems||Unknown||11 Oct 2016||11 Oct 2016|
|Brocade Communication Systems||Unknown||11 Oct 2016||11 Oct 2016|
CVSS Metrics (Learn More)
Thanks to Craig Young of Tripwire for reporting these vulnerabilities.
This document was written by Joel Land.
- CVE IDs: CVE-2016-6890 CVE-2016-6891 CVE-2016-6892
- Date Public: 10 Oct 2016
- Date First Published: 11 Oct 2016
- Date Last Updated: 14 Oct 2016
- Document Revision: 19
If you have feedback, comments, or additional information about this vulnerability, please send us email.