Article ID: 129459, created on Sep 18, 2016, last review on Sep 18, 2016

  • Applies to:
  • Business Automation

Symptoms

Provider production store got F rating from www.ssllabs.com/ssltest/ with the following comment:

This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F.

openssl package version on Store node:

openssl.i686 1.0.1e-42.el6 
openssl.x86_64 1.0.1e-42.el6

Package update is available:

# yum check-update openssl
openssl.i686 1.0.1e-48.el6_8.1
openssl.x86_64 1.0.1e-48.el6_8.1

Cause

CVE-2016-2107 is fixed in openssl-1.0.1e-48.el6_8.1.x86_64 package:

# rpm -q --changelog openssl-1.0.1e-48.el6_8.1.x86_64 | egrep -i "(CVE-2016-2107|CVE-2016-2108)"
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder

# rpm -q --changelog openssl-1.0.1e-48.el6_8.1.i686 | egrep -i "(CVE-2016-2107|CVE-2016-2108)"
- fix CVE-2016-2107 - padding oracle in stitched AES-NI CBC-MAC
- fix CVE-2016-2108 - memory corruption in ASN.1 encoder

Resolution

Update openssl package up to openssl-1.0.1e-48.el6_8.1.x86_64 version.

External references

CVE-2016-2107 on Red Hat Bugzilla

Search Words

BA Store CVE-2016-2107

This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F

openssl-1.0.1e-48.el6_8.1.x86_64

Store CVE-2016-2107

CVE-2016-2107

198398b282069eaf2d94a6af87dcb3ff caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07

Email subscription for changes to this article
Save as PDF