CVE-2016-8610

high

Published 2017-11-13 · Modified 2026-05-13

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.5

Description

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients.

Predictions

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

OS impact

OS	Version	Status	Fixed in
sles		affected
rhel	6.0	affected
rhel	7.0	affected
debian	8.0	affected
debian	bookworm	fixed	`1.0.2j-1`
debian	bullseye	fixed	`1.0.2j-1`
debian	forky	fixed	`1.0.2j-1`
debian	sid	fixed	`1.0.2j-1`
debian	trixie	fixed	`1.0.2j-1`

Application impact

Vendor	Product	Versions	Fixed
openssl	openssl	`{"startIncluding":"1.0.2","endIncluding":"1.0.2h"}`
openssl	openssl	`0.9.8`
openssl	openssl	`1.0.1`
openssl	openssl	`1.1.0`
redhat	jboss_enterprise_application_platform	`6.0.0`
redhat	jboss_enterprise_application_platform	`6.4.0`
netapp	clustered_data_ontap_antivirus_connector	`-`
netapp	data_ontap	`-`
netapp	data_ontap_edge	`-`
netapp	e-series_santricity_os_controller	`{"startIncluding":"11.0","endIncluding":"11.40"}`
netapp	host_agent	`-`
netapp	oncommand_balance	`-`
netapp	oncommand_unified_manager	`-`
netapp	oncommand_workflow_automation	`-`
netapp	ontap_select_deploy	`-`
netapp	service_processor	`-`
netapp	smi-s_provider	`-`
netapp	snapcenter_server	`-`
netapp	snapdrive	`-`
netapp	storagegrid	`-`
netapp	storagegrid_webscale	`-`
oracle	adaptive_access_manager	`11.1.2.3.0`
oracle	application_testing_suite	`13.3.0.1`
oracle	communications_analytics	`12.1.1`
oracle	communications_ip_service_activator	`7.3.4`
oracle	communications_ip_service_activator	`7.4.0`
oracle	core_rdbms	`11.2.0.4`
oracle	core_rdbms	`12.1.0.2`
oracle	core_rdbms	`12.2.0.1`
oracle	core_rdbms	`18c`
oracle	core_rdbms	`19c`
oracle	enterprise_manager_ops_center	`12.3.3`
oracle	enterprise_manager_ops_center	`12.4.0`
oracle	goldengate_application_adapters	`12.3.2.1.0`
oracle	jd_edwards_enterpriseone_tools	`9.2`
oracle	peoplesoft_enterprise_peopletools	`8.56`
oracle	peoplesoft_enterprise_peopletools	`8.57`
oracle	peoplesoft_enterprise_peopletools	`8.58`
oracle	retail_predictive_application_server	`15.0.3`
oracle	retail_predictive_application_server	`16.0.3`
oracle	timesten_in-memory_database	`{"endExcluding":"18.1.4.1.0"}`	`18.1.4.1.0`
oracle	weblogic_server	`10.3.6.0.0`
oracle	weblogic_server	`12.1.3.0.0`
oracle	weblogic_server	`12.2.1.3.0`
oracle	weblogic_server	`12.2.1.4.0`

References

CWEs

CWE-400

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.