Vulnerability identifier: #VU639

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:P/RL:O/RC:C]

CVE-ID: CVE-2016-2107

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSL
Server applications / Encryption software
Oracle Solaris
Operating systems & Components / Operating system
Oracle Linux
Operating systems & Components / Operating system
macOS
Operating systems & Components / Operating system
Oracle Access Manager
Server applications / Directory software, identity management
Oracle Exalogic Infrastructure
Server applications / Remote management servers, RDP, SSH
Oracle Enterprise Manager Ops Center
Server applications / Remote management servers, RDP, SSH
Enterprise Manager Base Platform
Server applications / Other server solutions
Oracle Agile Engineering Data Management
Other software / Other software solutions
Oracle Business Intelligence Enterprise Edition
Other software / Other software solutions
Oracle Transportation Management
Other software / Other software solutions
Oracle Enterprise Session Border Controller
Other software / Other software solutions
Oracle Life Sciences Data Hub
Other software / Other software solutions
Primavera P6 Professional Project Management
Other software / Other software solutions
PeopleSoft Enterprise PeopleTools
Client/Desktop applications / Office applications
Oracle Communications Unified Session Manager
/
Oracle VM VirtualBox
Server applications / Virtualization software
Oracle Secure Global Desktop
Client/Desktop applications / Virtualization software
Oracle E-Business Suite
Web applications / E-Commerce systems
Oracle Commerce Guided Search
Web applications / E-Commerce systems

Vendor: OpenSSL Software Foundation
Oracle
Apple Inc.

Description
The vulnerability allows a remote user to decrypt traffic on the target system.

The weakness is due to access control error.If the connection uses an AES CBC cipher and the server support AES-NI attackers can perform padding oracle attack.

Successful exploitation of the vulnerability leads to traffic decryption on the vulnerable system.

Mitigation
Update 1.0.1 to 1.0.1t.
Update 1.0.2 to 1.0.2h.

Vulnerable software versions

OpenSSL: 1.0.2, 1.0.1

Oracle Solaris: 10 - 11.3

Oracle Access Manager: 10.1.4.2 - 11.1.1.7

Oracle Exalogic Infrastructure: 1.0 - 2.0

Enterprise Manager Base Platform: 12.1.0.5 - 13.1.0.0

Oracle Agile Engineering Data Management: 6.1.3.0 - 6.2.0.0

PeopleSoft Enterprise PeopleTools: 8.53 - 8.55

Oracle Communications Unified Session Manager: 7.2.5 - 7.3.5

Oracle VM VirtualBox: 5.0.20

Oracle Secure Global Desktop: 4.63 - 5.2

Oracle Business Intelligence Enterprise Edition: 11.1.1.7.0 - 12.2.1.1.0

Oracle Enterprise Manager Ops Center: 12.1.4 - 12.3.2

Oracle E-Business Suite: 12.1.3

Oracle Transportation Management: 6.1 - 6.3.7

Oracle Commerce Guided Search: 6.2.2 - 6.5.2

Oracle Enterprise Session Border Controller: Ecz7.3m1p4

Oracle Life Sciences Data Hub: 2.1

Primavera P6 Professional Project Management: 8.3 - 16.0

Oracle Linux: 6 - 7

macOS: 10.11 - 10.11.5

---

External links
http://www.openssl.org/news/secadv/20160503.tx
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://support.apple.com/cs-cz/HT206903

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.