Thoughts on the current state of ASN.1 and XML technologies.

Response to CVE-2016-5080


A security vulnerability was recently raised on our ASN1C software.  The vulnerability, documented in CVE-2016-5080, refers to an integer overflow condition that can occur in a memory heap allocation function within the ASN1C run-time.

We have analyzed this issue and acknowledge that the bug exists.  However, we believe the assertion that this is a readily exploitable issue to be not true in most cases.  Our analysis indicates that in order to exploit this bug in the most commonly used encoding rule libraries we support – the packed encoding rules, (PER/UPER) and basic encoding rules and derivatives (BER/DER/CER) – one would have to get a message processing application to accept a message of an abnormally large size.  This would most likely lead to other issues such as running out of memory well before the point at which the vulnerability can be reached.  We have documented our analysis in a paper which we will make available upon request to customers and partners who would like to assess if and how the bug may affect their applications.

We apologize for the error and have worked quickly to fix it.  Versions of the software affected are 5.7 and higher.  Patch releases will be made available to all current and past customers upon request.

Comments are closed.