Alpine: openssl: security update to 1.0.2h-r0

high Tenable Cloud Security Plugin ID 406075

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and
1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a
large amount of binary data. (CVE-2016-2105)

- Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and
1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a
large amount of data. (CVE-2016-2106)

- The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory
allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext
information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists
because of an incorrect fix for CVE-2013-0169. (CVE-2016-2107)

- The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before
1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption)
via a short invalid encoding. (CVE-2016-2109)

- The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h
allows remote attackers to obtain sensitive information from process stack memory or cause a denial of
service (buffer over-read) via crafted EBCDIC ASN.1 data. (CVE-2016-2176)

See Also

https://security.alpinelinux.org/vuln/CVE-2016-2105

https://security.alpinelinux.org/vuln/CVE-2016-2106

https://security.alpinelinux.org/vuln/CVE-2016-2107

https://security.alpinelinux.org/vuln/CVE-2016-2109

https://security.alpinelinux.org/vuln/CVE-2016-2176

Plugin Details

Severity: High

ID: 406075

Version: Revision 1.32

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.7

Percentile: 97

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2016-2176

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/26/2016

Reference Information

CVE: CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176

BID: 87940, 89744, 89746, 89757, 89760

IAVA: 2016-A-0113-S