Medium severity5.9NVD Advisory· Published May 5, 2016· Updated May 6, 2026
CVE-2016-2107
CVE-2016-2107
Description
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Affected products
58cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*+ 19 more
- cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*
- cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*
cpe:2.3:a:hp:helion_openstack:2.0.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:hp:helion_openstack:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:helion_openstack:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:helion_openstack:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:hp:helion_openstack:2.1.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:*range: >=0.10.0,<0.10.45
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*range: >=4.0.0,<=4.1.2
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*range: >=4.2.0,<4.4.4
- cpe:2.3:a:nodejs:node.js:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*range: <=1.0.1s
- cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*+ 3 more
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
57- www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlnvdPatchThird Party Advisory
- www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlnvdPatchThird Party Advisory
- www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlnvdPatchThird Party Advisory
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlnvdPatchThird Party Advisory
- www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlnvdPatchThird Party Advisory
- www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvdPatchThird Party Advisory
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlnvdPatchThird Party Advisory
- kb.juniper.net/InfoCenter/indexnvdThird Party Advisory
- lists.apple.com/archives/security-announce/2016/Jul/msg00000.htmlnvdMailing ListThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2016-May/183457.htmlnvdMailing ListThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2016-May/183607.htmlnvdMailing ListThird Party Advisory
- lists.fedoraproject.org/pipermail/package-announce/2016-May/184605.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-05/msg00001.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-05/msg00008.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-05/msg00011.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-05/msg00013.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-05/msg00014.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-05/msg00016.htmlnvdMailing ListThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-05/msg00019.htmlnvdThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.htmlnvdMailing ListThird Party Advisory
- packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.htmlnvdThird Party AdvisoryVDB Entry
- rhn.redhat.com/errata/RHSA-2016-0722.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-0996.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-2073.htmlnvdThird Party Advisory
- rhn.redhat.com/errata/RHSA-2016-2957.htmlnvdThird Party Advisory
- source.android.com/security/bulletin/2016-07-01.htmlnvdThird Party Advisory
- support.citrix.com/article/CTX212736nvdThird Party Advisory
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-opensslnvdThird Party Advisory
- web-in-security.blogspot.ca/2016/05/curious-padding-oracle-in-openssl-cve.htmlnvdThird Party Advisory
- www.debian.org/security/2016/dsa-3566nvdThird Party Advisory
- www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlnvdThird Party Advisory
- www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.htmlnvdThird Party Advisory
- www.securityfocus.com/bid/89760nvdThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/91787nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1035721nvdThird Party AdvisoryVDB Entry
- www.slackware.com/security/viewer.phpnvdMailing ListThird Party Advisory
- www.ubuntu.com/usn/USN-2959-1nvdThird Party Advisory
- blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/nvdThird Party Advisory
- cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfnvdThird Party Advisory
- h20566.www2.hpe.com/hpsc/doc/public/displaynvdThird Party Advisory
- h20566.www2.hpe.com/hpsc/doc/public/displaynvdThird Party Advisory
- h20566.www2.hpe.com/hpsc/doc/public/displaynvdThird Party Advisory
- h20566.www2.hpe.com/hpsc/doc/public/displaynvdThird Party Advisory
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdThird Party Advisory
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdThird Party Advisory
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdThird Party Advisory
- h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplaynvdThird Party Advisory
- kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40202nvdThird Party Advisory
- kc.mcafee.com/corporate/indexnvdThird Party Advisory
- security.gentoo.org/glsa/201612-16nvdThird Party Advisory
- security.netapp.com/advisory/ntap-20160504-0001/nvdThird Party Advisory
- support.apple.com/HT206903nvdThird Party Advisory
- www.exploit-db.com/exploits/39768/nvdThird Party AdvisoryVDB Entry
- www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.ascnvdThird Party Advisory
- www.openssl.org/news/secadv/20160503.txtnvdVendor Advisory
- www.tenable.com/security/tns-2016-18nvdThird Party Advisory
- bto.bluecoat.com/security-advisory/sa123nvdPermissions Required
News mentions
0No linked articles in our index yet.