OpenSSL CVE-2016-2107 Grading Update

Ivan Ristic

Last updated on: November 3, 2022

We are releasing an update to the grading criteria, version 2009m, to respond to the discovery of the OpenSSL vulnerability CVE-2016-2107 announced in the OpenSSL Security Advisory [3rd May 2016]. This vulnerability can be exploited by MITM attacker using a padding Oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI.

We are giving advance notification for the grading criteria changes. Currently, if the server is found to be vulnerable to this attack, grades are capped at C. Grades will be capped at F from June 6, 2016.

Show Comments (13)


Your email address will not be published. Required fields are marked *

  1. I have the latest openssl version installed: But i still receive grade F.

    More information below:

    openssl version
    OpenSSL 1.0.2h 3 May 2016 (Library: OpenSSL 1.0.2g 1 Mar 2016)

    This is loaded by openssl:
    ldd /usr/bin/openssl => (0x00007ffd3fdfc000) => /usr/lib/x86_64-linux-gnu/ (0x00007fd3aa470000) => /usr/lib/x86_64-linux-gnu/ (0x00007fd3aa028000) => /lib/x86_64-linux-gnu/ (0x00007fd3a9c63000) => /lib/x86_64-linux-gnu/ (0x00007fd3a9a5f000)
    /lib64/ (0x00007fd3aa6d7000)

    The Apache SSL module is also using the same library:
    ldd => (0x00007ffcadb21000) => /usr/lib/x86_64-linux-gnu/ (0x00007efed9c33000) => /usr/lib/x86_64-linux-gnu/ (0x00007efed97eb000) => /lib/x86_64-linux-gnu/ (0x00007efed95cd000) => /lib/x86_64-linux-gnu/ (0x00007efed9208000) => /lib/x86_64-linux-gnu/ (0x00007efed9004000)
    /lib64/ (0x00007efeda0d2000)

    1. Jochem,

      We have the exact same problem… We did the upgrade all seems OK but we still have a failing grade.

      Did you find a solution?

      1. Hi,

        How did you solved the problem, because, I’ve the same issue and I don’t understand how to solve the problemwith my grade F

        Many thanks

  2. Since you now have a blog report on this CVE, might you consider linking to it on the SSL Labs test page, instead of just pushing link traffic to CloudFlare?