CVE-2016-0736

Published on: 07/27/2017 12:00:00 AM UTC

Last Modified on: 03/30/2021 01:15:00 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Http Server from Apache contain the following vulnerability:

In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.

  • CVE-2016-0736 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: Apache Software Foundation - Apache HTTP Server version 2.4.0 to 2.4.23

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:0906
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1413
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
About the security content of macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan - Apple Support support.apple.com
text/html
URL Logo CONFIRM support.apple.com/HT208221
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1161
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
December 2016 Apache HTTP Server Vulnerabilities in Multiple NetApp Products | NetApp Product Security security.netapp.com
text/html
URL Logo CONFIRM security.netapp.com/advisory/ntap-20180423-0001/
Debian -- Security Information -- DSA-3796-1 apache2 www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-3796
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
[R5] SecurityCenter 5.4.3 Fixes Multiple Vulnerabilities - Security Advisory | Tenable Network Security www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2017-04
Apache HTTP Server CVE-2016-0736 Remote Security Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 95078
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
httpd 2.4 vulnerabilities - The Apache HTTP Server Project Vendor Advisory
httpd.apache.org
text/html
URL Logo CONFIRM httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-0736
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2017:1414
Apache HTTPD Multiple Flaws Let Remote Users Deny Service, Conduct HTTP Response Splitting Attacks, and Access and Modify Session Data - SecurityTracker Third Party Advisory
VDB Entry
www.securitytracker.com
text/html
URL Logo SECTRACK 1037508
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1073139 [10/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
Document Display | HPE Support Center Third Party Advisory
h20566.www2.hpe.com
text/html
URL Logo CONFIRM h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03725en_us
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2017:1415
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1888194 [10/13] - /httpd/site/trunk/content/security/json/
Apache mod_session_crypto - Padding Oracle - Multiple webapps Exploit www.exploit-db.com
Proof of Concept
text/html
URL Logo EXPLOIT-DB 40961
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
Apache: Multiple vulnerabilities (GLSA 201701-36) — Gentoo security Third Party Advisory
security.gentoo.org
text/html
URL Logo GENTOO GLSA-201701-36
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationApacheHttp Server2.4.0AllAllAll
ApplicationApacheHttp Server2.4.1AllAllAll
ApplicationApacheHttp Server2.4.10AllAllAll
ApplicationApacheHttp Server2.4.12AllAllAll
ApplicationApacheHttp Server2.4.14AllAllAll
ApplicationApacheHttp Server2.4.16AllAllAll
ApplicationApacheHttp Server2.4.19AllAllAll
ApplicationApacheHttp Server2.4.2AllAllAll
ApplicationApacheHttp Server2.4.20AllAllAll
ApplicationApacheHttp Server2.4.21AllAllAll
ApplicationApacheHttp Server2.4.22AllAllAll
ApplicationApacheHttp Server2.4.23AllAllAll
ApplicationApacheHttp Server2.4.3AllAllAll
ApplicationApacheHttp Server2.4.6AllAllAll
ApplicationApacheHttp Server2.4.7AllAllAll
ApplicationApacheHttp Server2.4.8AllAllAll
ApplicationApacheHttp Server2.4.9AllAllAll
ApplicationApacheHttp Server2.4.0AllAllAll
ApplicationApacheHttp Server2.4.1AllAllAll
ApplicationApacheHttp Server2.4.10AllAllAll
ApplicationApacheHttp Server2.4.12AllAllAll
ApplicationApacheHttp Server2.4.14AllAllAll
ApplicationApacheHttp Server2.4.16AllAllAll
ApplicationApacheHttp Server2.4.19AllAllAll
ApplicationApacheHttp Server2.4.2AllAllAll
ApplicationApacheHttp Server2.4.20AllAllAll
ApplicationApacheHttp Server2.4.21AllAllAll
ApplicationApacheHttp Server2.4.22AllAllAll
ApplicationApacheHttp Server2.4.23AllAllAll
ApplicationApacheHttp Server2.4.3AllAllAll
ApplicationApacheHttp Server2.4.6AllAllAll
ApplicationApacheHttp Server2.4.7AllAllAll
ApplicationApacheHttp Server2.4.8AllAllAll
ApplicationApacheHttp Server2.4.9AllAllAll
  • cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.14:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.10:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.12:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.14:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.16:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.19:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.20:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.21:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.22:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.23:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:http_server:2.4.9:*:*:*:*:*:*:*: