Is CVE-2016-4054 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 89%.

What products does CVE-2016-4054 affect?

Tracked products affected include Ubuntu. Check the version you run to see whether it is affected.

How do I fix CVE-2016-4054?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2016-4054

Q: What is CVE-2016-4054?

CVE-2016-4054 is a high-severity software vulnerability (Memory corruption) with a CVSS score of 8.1. Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses.

HIGH severity · CVSS 8.1 · Memory corruption

8.1CVSS HIGH

Summary

Buffer overflow in Squid 3.x before 3.5.17 and 4.x before 4.0.9 allows remote attackers to execute arbitrary code via crafted Edge Side Includes (ESI) responses.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)89%

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products we track (1)

Ubuntu

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00040.html
http://lists.opensuse.org/opensuse-updates/2016-08/msg00069.html
http://www.debian.org/security/2016/dsa-3625
http://www.openwall.com/lists/oss-security/2016/04/20/6Advisory
http://www.openwall.com/lists/oss-security/2016/04/20/9Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlAdvisory
http://www.securityfocus.com/bid/86788