Request a Demo

Apache – CVE-2016-0736

Description

Kayran has detected that the Version of Apache HTTP Server being used has a Cryptographic Issue (CWE-310).
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently, these deal with the use of encoding techniques, encryption libraries, and hashing algorithms.

Also known as CVE-2016-0736.

Attackers abuse the fact that mod_session_crypto is encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default) and there’s no selectable or builtin authenticated encryption.

This would allow attacker to initiate padding oracle attacks, specifically with CBC.

Recommendation

To fix CVE-2016-0736, upgrade the version of Apache HTTP Server being used to 2.4.25.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0736

https://cwe.mitre.org/data/definitions/310.html

< Return to all Vulnerabilities

Request a Demo

Bug Bounties

As pirates, we all love plundering, we all love raiding, but mostly, we all love bounties, especially Bug Bounties. Let’s talk about it. Bug Bounties

Read More »

APT vs. ATP

In this article we will talk about APT vs. ATP. In other words, Advanced Persistent Threat and Advanced Threat Protection and the context between these

Read More »
Facebook Linkedin

WEB APPLICATION VULNERABILITY SCANNER

Links

registered user?

Log in
Facebook Linkedin