Rapid7 Vulnerability & Exploit Database

Apache HTTPD: Padding Oracle in Apache mod_session_crypto (CVE-2016-0736)

Free InsightVM Trial No Credit Card Necessary

Watch Demo See how it all works

Back to Search

Apache HTTPD: Padding Oracle in Apache mod_session_crypto (CVE-2016-0736)

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

12/21/2016

Created

07/25/2018

Added

12/21/2016

Modified

01/13/2022

Description

Prior to Apache HTTP release 2.4.25, mod_sessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC. An authentication tag (SipHash MAC) is now added to prevent such attacks.

Solution(s)

apache-httpd-upgrade-2_4_25

References

https://attackerkb.com/topics/cve-2016-0736
95078
CVE - 2016-0736
DSA-3796
Category I
2017-A-0010
RHSA-2017:0906
RHSA-2017:1161
RHSA-2017:1413
RHSA-2017:1414
RHSA-2017:1415
http://httpd.apache.org/security/vulnerabilities_24.html

Advanced vulnerability management analytics and reporting.

Key Features

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

Apache HTTPD: Padding Oracle in Apache mod_session_crypto (CVE-2016-0736)

Apache HTTPD: Padding Oracle in Apache mod_session_crypto (CVE-2016-0736)

Description

Solution(s)

References

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.