Search

GlobalSCAPE Knowledge Base

Is EFT vulnerable to SSL vulnerability CVE-2016-6303 (DoS attack)?

Karla Marsh
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, version 7 and later

QUESTION

Is EFT vulnerable to SSL vulnerability < href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303" originalAttribute="href" originalPath="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303">CVE-2016-6303 (DoS attack)?

ANSWER

No. After thorough review, Globalscape Support confirmed that neither of the methods cited below are in use by the EFT code base so EFT is not vulnerable to that specific vulnerability. In any event, Globalscape Engineering will updated our OpenSSL library from 1.0.2h to version 1.0.2j in a future release.

MORE INFORMATION

CVE-2016-6303 (OpenSSL advisory) [Low severity] 24th August 2016: An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractical on most platforms. Reported by Shi Lei (Gear Team, Qihoo 360 Inc.).

Details
Last Modified: 3 Years Ago
Last Modified By: kmarsh
Type: INFO
Article not rated yet.
Article has been viewed 5.8K times.
Options
Also In This Category
Tags