THE INFORMATION IN THIS ARTICLE APPLIES TO:
QUESTION
Is EFT vulnerable to SSL vulnerability < href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303" originalAttribute="href" originalPath="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303">CVE-2016-6303 (DoS attack)?
ANSWER
No. After thorough review, Globalscape Support confirmed that neither of the methods cited below are in use by the EFT code base so EFT is not vulnerable to that specific vulnerability. In any event, Globalscape Engineering will updated our OpenSSL library from 1.0.2h to version 1.0.2j in a future release.
MORE INFORMATION
CVE-2016-6303 (OpenSSL advisory) [Low severity] 24th August 2016:
An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractical on most platforms. Reported by Shi Lei (Gear Team, Qihoo 360 Inc.).
- Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
- Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)
https://www.openssl.org/docs/manmaster/crypto/MDC2_Update.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303
https://msisac.cisecurity.org/advisories/2016/2016-141.cfm