Vulnerabilities

CVE-2016-0736

by Fred · 27/07/2017

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.

Date published : 2017-07-27

http://www.securityfocus.com/bid/95078

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03725en_us

Similar

Tags: Cybersecurity Alert