Apache – CVE-2016-0736


Kayran has detected that the Version of Apache HTTP Server being used has a Cryptographic Issue (CWE-310).
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently, these deal with the use of encoding techniques, encryption libraries, and hashing algorithms.

Also known as CVE-2016-0736.

Attackers abuse the fact that mod_session_crypto is encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default) and there’s no selectable or builtin authenticated encryption.

This would allow attacker to initiate padding oracle attacks, specifically with CBC.


To fix CVE-2016-0736, upgrade the version of Apache HTTP Server being used to 2.4.25.




< Return to all Vulnerabilities

Passwords 101

Unlike basketballs, “passwords” are things we don’t want to be passed around, especially in a society built around the idea that “mystery” is appealing. We

Read More »