CVE-2016-4303: Buffer Overflow

Q: What is the severity of CVE-2016-4303?

CVE-2016-4303 has a high severity rating due to its potential to cause denial of service and execute arbitrary code.

Q: How do I fix CVE-2016-4303?

To resolve CVE-2016-4303, update the cJSON library to a version that has patched the buffer overflow issue.

Q: Which software is affected by CVE-2016-4303?

CVE-2016-4303 affects versions of iperf3 prior to 3.0.12 and from 3.1 to 3.1.3, along with SUSE Linux Enterprise Package Hub and older openSUSE versions.

Q: What type of vulnerability is CVE-2016-4303?

CVE-2016-4303 is a heap-based buffer overflow vulnerability caused by improper handling of UTF8/16 strings.

Q: Can CVE-2016-4303 be exploited remotely?

Yes, CVE-2016-4303 can be exploited remotely by attackers sending malicious JSON strings.

Published Sep 26, 2016

Updated

The parsestring function in cjson.c in the cJSON library mishandles UTF8/16 strings, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a non-hex character in a JSON string, which triggers a heap-based buffer overflow.

Affected Software

8 affected components

es iperf3>=3.0<3.0.12

es iperf3>=3.1<3.1.3

Novell Suse Package Hub For Suse Linux Enterprise=12

openSUSE Leap=42.1

openSUSE openSUSE=13.2

Debian Debian Linux=8.0

Iperf3 Project Iperf3>=3.0<3.0.12

Iperf3 Project Iperf3>=3.1<3.1.3

Remediation

Patch Available

https://github.com/esnet/iperf/commit/91f2fa59e8ed80dfbf400add0164ee0e508e412a

Event History

Sep 26, 2016

CVE Published

via MITRE·02:00 PM

Data Sourced

via MITRE·02:00 PM

Description

Frequently Asked Questions

What is the severity of CVE-2016-4303?

CVE-2016-4303 has a high severity rating due to its potential to cause denial of service and execute arbitrary code.

How do I fix CVE-2016-4303?

To resolve CVE-2016-4303, update the cJSON library to a version that has patched the buffer overflow issue.

Which software is affected by CVE-2016-4303?