Menu

Search

GlobalSCAPE Knowledge Base


Is EFT vulnerable to SSL vulnerability CVE-2016-6303 (DoS attack)?


kmarsh
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, version 7 and later

QUESTION

Is EFT vulnerable to SSL vulnerability < href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303" originalAttribute="href" originalPath="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303">CVE-2016-6303 (DoS attack)?

ANSWER

No. After thorough review, Globalscape Support confirmed that neither of the methods cited below are in use by the EFT code base so EFT is not vulnerable to that specific vulnerability. In any event, Globalscape Engineering will updated our OpenSSL library from 1.0.2h to version 1.0.2j in a future release.

MORE INFORMATION

CVE-2016-6303 (OpenSSL advisory) [Low severity] 24th August 2016: An overflow can occur in MDC2_Update() either if called directly or through the EVP_DigestUpdate() function using MDC2. If an attacker is able to supply very large amounts of input data after a previous call to EVP_EncryptUpdate() with a partial block then a length check can overflow resulting in a heap corruption. The amount of data needed is comparable to SIZE_MAX which is impractical on most platforms. Reported by Shi Lei (Gear Team, Qihoo 360 Inc.).


Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details
Last Modified: 3 Years Ago
Last Modified By: kmarsh
Type: INFO
Article not rated yet.
Article has been viewed 4.5K times.
Options
Find Similar