THE INFORMATION IN THIS ARTICLE APPLIES TO:
Is EFT vulnerable to SSL vulnerability < href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303" originalAttribute="href" originalPath="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303">CVE-2016-6303 (DoS attack)?
No. After thorough review, Globalscape Support confirmed that neither of the methods cited below are in use by the EFT code base so EFT is not vulnerable to that specific vulnerability. In any event, Globalscape Engineering will updated our OpenSSL library from 1.0.2h to version 1.0.2j in a future release.
CVE-2016-6303 (OpenSSL advisory) [Low severity] 24th August 2016:
An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractical on most platforms. Reported by Shi Lei (Gear Team, Qihoo 360 Inc.).
- Fixed in OpenSSL 1.0.1u (Affected 1.0.1t, 1.0.1s, 1.0.1r, 1.0.1q, 1.0.1p, 1.0.1o, 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
- Fixed in OpenSSL 1.0.2i (Affected 1.0.2h, 1.0.2g, 1.0.2f, 1.0.2e, 1.0.2d, 1.0.2c, 1.0.2b, 1.0.2a, 1.0.2)