CVE-2016-9842 : The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependen

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

Published 2017-05-23 04:29:02

Updated 2024-08-28 16:07:51

Source OpenText

View at NVD, CVE.org

Products affected by CVE-2016-9842

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.4
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Eus » Version: 7.5
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Satellite » Version: 5.8
cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*
Matching versions
Apple » Mac Os X
Versions from including (>=) 10.0.0 and before (<) 10.13.0
cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
Matching versions
Apple » Iphone Os
Versions before (<) 11
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Matching versions
Apple » Watchos
Versions before (<) 4
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Matching versions
Apple » Tvos
Versions before (<) 11.0
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Matching versions
Oracle » Database Server » Version: 18C
cpe:2.3:a:oracle:database_server:18c:*:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.7.0 Update Update151
cpe:2.3:a:oracle:jdk:1.7.0:update151:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.8.0 Update Update144
cpe:2.3:a:oracle:jdk:1.8.0:update144:*:*:*:*:*:*
Matching versions
Oracle » JDK » Version: 1.6.0 Update Update161
cpe:2.3:a:oracle:jdk:1.6.0:update161:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.6.0 Update Update161
cpe:2.3:a:oracle:jre:1.6.0:update161:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.8.0 Update Update144
cpe:2.3:a:oracle:jre:1.8.0:update144:*:*:*:*:*:*
Matching versions
Oracle » JRE » Version: 1.7.0 Update Update151
cpe:2.3:a:oracle:jre:1.7.0:update151:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 5.6.0 and up to, including, (<=) 5.6.41
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 5.7.0 and up to, including, (<=) 5.7.23
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 5.5.0 and up to, including, (<=) 5.5.61
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Oracle » Mysql
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.0.12
cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 ESM Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:esm:*:*:*
Matching versions
Opensuse » Opensuse » Version: 13.2
cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.1
cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 42.2
cpe:2.3:o:opensuse:leap:42.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 4.0.0 and up to, including, (<=) 4.1.2
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 7.0.0 and before (<) 7.6.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 4.2.0 and before (<) 4.8.2
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 6.0.0 and up to, including, (<=) 6.8.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 6.9.0 and before (<) 6.10.2
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Zlib » Zlib
Versions from including (>=) 1.2.3.4 and before (<) 1.2.9
cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2016-9842

Top countries where our scanners detected CVE-2016-9842

Top open port discovered on systems with this issue 80

IPs affected by CVE-2016-9842 2,924

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2016-9842!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2016-9842

EPSS FAQ

10.32%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 92 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2016-9842

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2016-9842

https://access.redhat.com/errata/RHSA-2017:1222

RHSA-2017:1222 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1220

RHSA-2017:1220 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://support.apple.com/HT208112

About the security content of iOS 11 - Apple Support
Third Party Advisory

CVEs referencing this url
http://www.securitytracker.com/id/1039427

Apple macOS/OS X Multiple Flaws Let Remote and Local Users Bypass Security and Deny Service, Local Users Obtain Potentially Sensitive Information, and Applications Gain Elevated Privileges - SecurityT
Broken Link;Third Party Advisory;VDB Entry

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-12/msg00127.html

openSUSE-SU-2016:3202-1: moderate: Security update for zlib
Broken Link

CVEs referencing this url
https://support.apple.com/HT208113

About the security content of tvOS 11 - Apple Support
Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

CPU Oct 2018
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3046

RHSA-2017:3046 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html

[SECURITY] [DLA 1725-1] rsync security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujul2020.html

Oracle Critical Patch Update Advisory - July 2020
Third Party Advisory

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1402348

1402348 – (CVE-2016-9842) CVE-2016-9842 zlib: Undefined left shift of negative number
Issue Tracking;Patch
http://www.securityfocus.com/bid/95131

zlib Multiple Denial of Service Vulnerabilities
Broken Link;Third Party Advisory;VDB Entry

CVEs referencing this url
https://usn.ubuntu.com/4292-1/

USN-4292-1: rsync vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://support.apple.com/HT208115

About the security content of watchOS 4 - Apple Support
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:2999

RHSA-2017:2999 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://support.apple.com/HT208144

About the security content of macOS High Sierra 10.13 - Apple Support
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2017-01/msg00053.html

openSUSE-SU-2017:0080-1: moderate: Security update for zlib
Broken Link

CVEs referencing this url
https://usn.ubuntu.com/4246-1/

USN-4246-1: zlib vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://wiki.mozilla.org/images/0/09/Zlib-report.pdf

Third Party Advisory

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Oracle Critical Patch Update - October 2017
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:1221

RHSA-2017:1221 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed#zlib

MOSS/Secure Open Source/Completed - MozillaWiki
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3047

RHSA-2017:3047 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958

Avoid shifts of negative values inflateMark(). · madler/zlib@e54e129 · GitHub
Patch
http://www.openwall.com/lists/oss-security/2016/12/05/21

oss-security - Re: CVE Request: zlib security issues found during audit
Mailing List;Patch

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2017:3453

RHSA-2017:3453 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2017-01/msg00050.html

openSUSE-SU-2017:0077-1: moderate: Security update for zlib
Broken Link

CVEs referencing this url
https://security.gentoo.org/glsa/201701-56

zlib: Multiple vulnerabilities (GLSA 201701-56) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202007-54

rsync: Multiple vulnerabilities (GLSA 202007-54) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2020/01/msg00030.html

[SECURITY] [DLA 2085-1] zlib security update
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2016-9842

Products affected by CVE-2016-9842

Threat overview for CVE-2016-9842

Exploit prediction scoring system (EPSS) score for CVE-2016-9842

CVSS scores for CVE-2016-9842

References for CVE-2016-9842