CVE-2016-2107
Published on: 05/04/2016 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:27:15 PM UTC
Certain versions of Android from Google contain the following vulnerability:
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
- CVE-2016-2107 has been assigned by
[email protected] to track the vulnerability - currently rated as MEDIUM severity.
CVSS3 Score: 5.9 - MEDIUM
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
---|---|---|---|---|
NETWORK | HIGH | NONE | NONE | |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
UNCHANGED | HIGH | NONE | NONE |
CVSS2 Score: 2.6 - LOW
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | HIGH | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | NONE | NONE |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
[security-announce] openSUSE-SU-2016:1566-1: important: Security update | lists.opensuse.org text/html |
![]() |
Oracle Solaris Bulletin - April 2016 | www.oracle.com text/html |
![]() |
USN-2959-1: OpenSSL vulnerabilities | Ubuntu | www.ubuntu.com text/html |
![]() |
[security-announce] openSUSE-SU-2016:1238-1: important: Security update | lists.opensuse.org text/html |
![]() |
About the security content of OS X El Capitan v10.11.6 and Security Update 2016-004 - Apple Support | support.apple.com text/html |
![]() |
[security-announce] openSUSE-SU-2016:1237-1: important: Security update | lists.opensuse.org text/html |
![]() |
Document Display | HPE Support Center | h20566.www2.hpe.com text/html |
![]() |
Slackware Security Advisory - openssl Updates ≈ Packet Storm | packetstormsecurity.com text/html |
![]() |
Oracle Critical Patch Update - July 2016 | www.oracle.com text/html |
![]() |
OpenSSL Padding Oracle Incomplete Fix Information Disclosure Vulnerability | cve.report (archive) text/html |
![]() |
APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004 | lists.apple.com text/html |
![]() |
Oracle July 2016 Critical Patch Update Multiple Vulnerabilities | cve.report (archive) text/html |
![]() |
git.openssl.org Git - openssl.git/commit | git.openssl.org text/xml |
![]() |
www.freebsd.org text/plain |
![]() | |
[security-announce] SUSE-SU-2016:1233-1: important: Security update for | lists.opensuse.org text/html |
![]() |
Document Display | HPE Support Center | h20566.www2.hpe.com text/html |
![]() |
[security-announce] SUSE-SU-2016:1206-1: important: Security update for | lists.opensuse.org text/html |
![]() |
Broadcom Support Portal | bto.bluecoat.com text/html |
![]() |
On Web-Security and -Insecurity: Curious Padding oracle in OpenSSL (CVE-2016-2107) | web-in-security.blogspot.ca text/html |
![]() |
Oracle Critical Patch Update - January 2018 | www.oracle.com text/html |
![]() |
CPU July 2018 | web.archive.org text/html Inactive LinkNot Archived |
![]() |
Document Display | HPE Support Center | h20566.www2.hpe.com text/html |
![]() |
Yet Another Padding Oracle in OpenSSL CBC Ciphersuites | blog.cloudflare.com text/html |
![]() |
Oracle Critical Patch Update - October 2016 | www.oracle.com text/html |
![]() |
[security-announce] openSUSE-SU-2016:1240-1: important: Security update | lists.opensuse.org text/html |
![]() |
[R7] LCE 4.8.1 Fixes Multiple Vulnerabilities - Security Advisory | Tenable™ | www.tenable.com text/html |
![]() |
[SECURITY] Fedora 22 Update: openssl-1.0.1k-15.fc22 | lists.fedoraproject.org text/html |
![]() |
Oracle Linux Bulletin - April 2016 | www.oracle.com text/html |
![]() |
Document Display | HPE Support Center | h20566.www2.hpe.com text/html |
![]() |
[SECURITY] Fedora 23 Update: openssl-1.0.2h-1.fc23 | lists.fedoraproject.org text/html |
![]() |
Document Display | HPE Support Center | h20566.www2.hpe.com text/html |
![]() |
OpenSSL: Multiple vulnerabilities (GLSA 201612-16) — Gentoo security | security.gentoo.org text/html |
![]() |
The Slackware Linux Project: Slackware Security Advisories | www.slackware.com text/html |
![]() |
OpenSSL - Padding Oracle in AES-NI CBC MAC Check - Multiple dos Exploit | www.exploit-db.com Proof of Concept text/html |
![]() |
OpenSSL Multiple Bugs Let Remote Users Decrypt Data, Deny Service, Obtain Potentially Sensitive Information, and Potentially Execute Arbitrary Code - SecurityTracker | www.securitytracker.com text/html |
![]() |
Android Security Bulletin—July 2016 | Android Open Source Project | source.android.com text/html |
![]() |
[security-announce] openSUSE-SU-2016:1243-1: important: Security update | lists.opensuse.org text/html |
![]() |
Red Hat Customer Portal | web.archive.org text/html Inactive LinkNot Archived |
![]() |
Red Hat Customer Portal | web.archive.org text/html Inactive LinkNot Archived |
![]() |
[security-announce] SUSE-SU-2016:1228-1: important: Security update for | lists.opensuse.org text/html |
![]() |
Document Display | HPE Support Center | h20566.www2.hpe.com text/html |
![]() |
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: May 2016 | tools.cisco.com text/html |
![]() |
Red Hat Customer Portal | web.archive.org text/html Inactive LinkNot Archived |
![]() |
Vendor Advisory www.openssl.org text/plain |
![]() | |
[SECURITY] Fedora 24 Update: openssl-1.0.2h-1.fc24 | lists.fedoraproject.org text/html |
![]() |
Juniper Networks - 2016-10 Security Bulletin: OpenSSL security updates | kb.juniper.net text/html |
![]() |
May 2016 OpenSSL Vulnerabilities in Multiple NetApp Products | NetApp Product Security | security.netapp.com text/html |
![]() |
CPU Oct 2018 | www.oracle.com text/html |
![]() |
Document Display | HPE Support Center | h20566.www2.hpe.com text/html |
![]() |
McAfee Security Bulletin: McAfee product updates fix vulnerabilities in OpenSSL that can allow an attacker to decrypt the traffic, corrupt the heap, and cause a denial of service | kc.mcafee.com text/html |
![]() |
Public KB - SA40202 - [Pulse Secure] May 3rd 2016 OpenSSL Security Advisory | kb.pulsesecure.net text/html |
![]() |
Document Display | HPE Support Center | h20566.www2.hpe.com text/html |
![]() |
Oracle Critical Patch Update - July 2017 | www.oracle.com text/html |
![]() |
Oracle Critical Patch Update - October 2017 | www.oracle.com text/html |
![]() |
Citrix XenServer Multiple Security Updates | support.citrix.com text/html |
![]() |
Red Hat Customer Portal | web.archive.org text/html Inactive LinkNot Archived |
![]() |
Debian -- Security Information -- DSA-3566-1 openssl | www.debian.org Depreciated Link text/html |
![]() |
Exploit/POC from Github
Simple test for the May 2016 OpenSSL padding oracle (CVE-2016-2107)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Operating System | Android | 4.0 | All | All | All | |
Operating System | Android | 4.0.1 | All | All | All | |
Operating System | Android | 4.0.2 | All | All | All | |
Operating System | Android | 4.0.3 | All | All | All | |
Operating System | Android | 4.0.4 | All | All | All | |
Operating System | Android | 4.1 | All | All | All | |
Operating System | Android | 4.1.2 | All | All | All | |
Operating System | Android | 4.2 | All | All | All | |
Operating System | Android | 4.2.1 | All | All | All | |
Operating System | Android | 4.2.2 | All | All | All | |
Operating System | Android | 4.3 | All | All | All | |
Operating System | Android | 4.3.1 | All | All | All | |
Operating System | Android | 4.4 | All | All | All | |
Operating System | Android | 4.4.1 | All | All | All | |
Operating System | Android | 4.4.2 | All | All | All | |
Operating System | Android | 4.4.3 | All | All | All | |
Operating System | Android | 5.0 | All | All | All | |
Operating System | Android | 5.0.1 | All | All | All | |
Operating System | Android | 5.1 | All | All | All | |
Operating System | Android | 5.1.0 | All | All | All | |
Operating System | Android | 4.0 | All | All | All | |
Operating System | Android | 4.0.1 | All | All | All | |
Operating System | Android | 4.0.2 | All | All | All | |
Operating System | Android | 4.0.3 | All | All | All | |
Operating System | Android | 4.0.4 | All | All | All | |
Operating System | Android | 4.1 | All | All | All | |
Operating System | Android | 4.1.2 | All | All | All | |
Operating System | Android | 4.2 | All | All | All | |
Operating System | Android | 4.2.1 | All | All | All | |
Operating System | Android | 4.2.2 | All | All | All | |
Operating System | Android | 4.3 | All | All | All | |
Operating System | Android | 4.3.1 | All | All | All | |
Operating System | Android | 4.4 | All | All | All | |
Operating System | Android | 4.4.1 | All | All | All | |
Operating System | Android | 4.4.2 | All | All | All | |
Operating System | Android | 4.4.3 | All | All | All | |
Operating System | Android | 5.0 | All | All | All | |
Operating System | Android | 5.0.1 | All | All | All | |
Operating System | Android | 5.1 | All | All | All | |
Operating System | Android | 5.1.0 | All | All | All | |
Application | Hp | Helion Openstack | 2.0 | All | All | All |
Application | Hp | Helion Openstack | 2.1 | All | All | All |
Application | Hp | Helion Openstack | 2.1.2 | All | All | All |
Application | Hp | Helion Openstack | 2.1.4 | All | All | All |
Application | Hp | Helion Openstack | 2.0 | All | All | All |
Application | Hp | Helion Openstack | 2.1 | All | All | All |
Application | Hp | Helion Openstack | 2.1.2 | All | All | All |
Application | Hp | Helion Openstack | 2.1.4 | All | All | All |
Application | Openssl | Openssl | 1.0.2 | All | All | All |
Application | Openssl | Openssl | 1.0.2 | beta1 | All | All |
Application | Openssl | Openssl | 1.0.2 | beta2 | All | All |
Application | Openssl | Openssl | 1.0.2 | beta3 | All | All |
Application | Openssl | Openssl | 1.0.2a | All | All | All |
Application | Openssl | Openssl | 1.0.2b | All | All | All |
Application | Openssl | Openssl | 1.0.2c | All | All | All |
Application | Openssl | Openssl | 1.0.2d | All | All | All |
Application | Openssl | Openssl | 1.0.2e | All | All | All |
Application | Openssl | Openssl | 1.0.2f | All | All | All |
Application | Openssl | Openssl | 1.0.2g | All | All | All |
Application | Openssl | Openssl | 1.0.2 | All | All | All |
Application | Openssl | Openssl | 1.0.2 | beta1 | All | All |
Application | Openssl | Openssl | 1.0.2 | beta2 | All | All |
Application | Openssl | Openssl | 1.0.2 | beta3 | All | All |
Application | Openssl | Openssl | 1.0.2a | All | All | All |
Application | Openssl | Openssl | 1.0.2b | All | All | All |
Application | Openssl | Openssl | 1.0.2c | All | All | All |
Application | Openssl | Openssl | 1.0.2d | All | All | All |
Application | Openssl | Openssl | 1.0.2e | All | All | All |
Application | Openssl | Openssl | 1.0.2f | All | All | All |
Application | Openssl | Openssl | 1.0.2g | All | All | All |
Application | Openssl | Openssl | All | All | All | All |
Operating System | Opensuse | Leap | 42.1 | All | All | All |
Operating System | Opensuse | Leap | 42.1 | All | All | All |
Operating System | Opensuse | Opensuse | 13.2 | All | All | All |
Operating System | Opensuse | Opensuse | 13.2 | All | All | All |
Operating System | Redhat | Enterprise Linux Desktop | 6.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Desktop | 7.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Desktop | 6.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Desktop | 7.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Hpc Node | 6.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Hpc Node | 7.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Hpc Node | 6.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Hpc Node | 7.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Hpc Node Eus | 7.2 | All | All | All |
Operating System | Redhat | Enterprise Linux Hpc Node Eus | 7.2 | All | All | All |
Operating System | Redhat | Enterprise Linux Server | 6.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Server | 6.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Server Aus | 7.2 | All | All | All |
Operating System | Redhat | Enterprise Linux Server Aus | 7.2 | All | All | All |
Operating System | Redhat | Enterprise Linux Server Eus | 7.2 | All | All | All |
Operating System | Redhat | Enterprise Linux Server Eus | 7.2 | All | All | All |
Operating System | Redhat | Enterprise Linux Workstation | 6.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Workstation | 7.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Workstation | 6.0 | All | All | All |
Operating System | Redhat | Enterprise Linux Workstation | 7.0 | All | All | All |
- cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0.3:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.0.4:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.1.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.2.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.2.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.3:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.3.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.4:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.4.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.4.2:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:4.4.3:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:5.0:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:5.0.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:5.1:*:*:*:*:*:*:*:
- cpe:2.3:o:google:android:5.1.0:*:*:*:*:*:*:*:
- cpe:2.3:a:hp:helion_openstack:2.0:*:*:*:*:*:*:*:
- cpe:2.3:a:hp:helion_openstack:2.1:*:*:*:*:*:*:*:
- cpe:2.3:a:hp:helion_openstack:2.1.2:*:*:*:*:*:*:*:
- cpe:2.3:a:hp:helion_openstack:2.1.4:*:*:*:*:*:*:*:
- cpe:2.3:a:hp:helion_openstack:2.0:*:*:*:*:*:*:*:
- cpe:2.3:a:hp:helion_openstack:2.1:*:*:*:*:*:*:*:
- cpe:2.3:a:hp:helion_openstack:2.1.2:*:*:*:*:*:*:*:
- cpe:2.3:a:hp:helion_openstack:2.1.4:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*:
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*:
- cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
- cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*:
- cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*:
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE