Your submission was sent successfully! Close

CVE-2016-0736

Published: 22 December 2016

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream
Released (2.4.25-1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.4.18-2ubuntu3.2)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (2.4.7-1ubuntu4.14)
Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1772812 (trunk)
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1772925 (2.4)