CVE-2016-6309
statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.
We have discovered 435,656 live websites that are affected by CVE-2016-6309.
Affected Software
| Product |  OpenSSL |
| Category | Web Server Extensions |
| Vulnerable Domains | 435,656 live websites (64.98% of OpenSSL install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 11 versions ( 27.50% of all versions) |
Details
- Published - Sep 27, 2016
- Updated - Aug 6, 2024
CVE References
CVE-2016-6309 usage by Country
 United States | 147,528 websites |
 Germany | 40,012 websites |
 Japan | 26,014 websites |
 Netherlands | 25,701 websites |
 Korea, South | 16,444 websites |
 Singapore | 14,973 websites |
 France | 14,825 websites |
 Russia | 12,153 websites |
 China | 10,289 websites |
CVE-2016-6309 usage by TLD
| .com | 158,187 websites |
| .de | 28,374 websites |
| .net | 19,614 websites |
| .nl | 18,988 websites |
| .org | 16,522 websites |
| .ru | 10,634 websites |
| .jp | 10,293 websites |
| .cz | 8,212 websites |
| .it | 7,701 websites |
| .com.br | 5,622 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2016-6309
Top websites that are affected by CVE-2016-6309. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.*************.se | United States | *** | |
| ****.com | United States | *** | |
| ********.*********.com | Singapore | *,*** | |
| ****.com | United States | *,*** | |
| ********.com | United States | *,*** | |
| *******.com | United States | *,*** | |
| *.******.***.***.br |  Brazil | *,*** | |
| *************.com |  GB | *,*** | |
| *.*****.***.***.br | Brazil | *,*** | |
| ****.**.com | United States | *,*** |
FAQ
A total of 435,656 websites have been identified as vulnerable to CVE-2016-6309, discovered through global website indexing conducted by WebTechSurvey.
OpenSSL is susceptible to CVE-2016-6309 vulnerability.
OpenSSL versions before 1.1 are vulnerable to CVE-2016-6309.
Version 1.1 of OpenSSL addresses the CVE-2016-6309 security vulnerability.
References
- https://www.tenable.com/security/tns-2016-20
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- https://www.openssl.org/news/secadv/20160926.txt
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03856en_us
- http://www-01.ibm.com/support/docview.wss?uid=swg21995039
- http://www.securitytracker.com/id/1036885
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- https://www.tenable.com/security/tns-2016-16
- https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=acacbfa7565c78d2273c0b2a2e5e803f44afefeb
- http://www.securityfocus.com/bid/93177
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- https://bto.bluecoat.com/security-advisory/sa132
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759