OpenSSL CVE-2016-2107 Grading Update

Ivan Ristic

We are releasing an update to the grading criteria, version 2009m, to respond to the discovery of the OpenSSL vulnerability CVE-2016-2107 announced in the OpenSSL Security Advisory [3rd May 2016]. This vulnerability can be exploited by MITM attacker using a padding Oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI.

We are giving advance notification for the grading criteria changes. Currently, if the server is found to be vulnerable to this attack, grades are capped at C. Grades will be capped at F from June 6, 2016.

Show Comments (13)

Leave a Reply to Jochem Blok Cancel reply

Your email address will not be published. Required fields are marked *

  1. I have the latest openssl version installed: But i still receive grade F.

    More information below:

    openssl version
    OpenSSL 1.0.2h 3 May 2016 (Library: OpenSSL 1.0.2g 1 Mar 2016)

    This is loaded by openssl:
    ldd /usr/bin/openssl => (0x00007ffd3fdfc000) => /usr/lib/x86_64-linux-gnu/ (0x00007fd3aa470000) => /usr/lib/x86_64-linux-gnu/ (0x00007fd3aa028000) => /lib/x86_64-linux-gnu/ (0x00007fd3a9c63000) => /lib/x86_64-linux-gnu/ (0x00007fd3a9a5f000)
    /lib64/ (0x00007fd3aa6d7000)

    The Apache SSL module is also using the same library:
    ldd => (0x00007ffcadb21000) => /usr/lib/x86_64-linux-gnu/ (0x00007efed9c33000) => /usr/lib/x86_64-linux-gnu/ (0x00007efed97eb000) => /lib/x86_64-linux-gnu/ (0x00007efed95cd000) => /lib/x86_64-linux-gnu/ (0x00007efed9208000) => /lib/x86_64-linux-gnu/ (0x00007efed9004000)
    /lib64/ (0x00007efeda0d2000)

  2. Since you now have a blog report on this CVE, might you consider linking to it on the SSL Labs test page, instead of just pushing link traffic to CloudFlare?