Details of VAR-201609-0597

ID

VAR-201609-0597

CVE

CVE-2016-2183

TITLE

TLS Used in products such as protocols DES and Triple DES Cryptographic plaintext data acquisition vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2016-004511

DESCRIPTION

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. This vulnerability is "Sweet32" It is called an attack.A third party could retrieve plaintext data through a birthday attack on a long encrypted session. IPSec (full name Internet Protocol Security) is a set of IP security protocols established by the IPSec group of the Internet Engineering Task Force (IETF). Both DES and Triple DES are encryption algorithms. This vulnerability stems from configuration errors in network systems or products during operation. Solution: For OpenShift Container Platform 4.5 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.5/updating/updating-cluster - -cli.html. 5) - i386, ppc, s390x, x86_64 3. ========================================================================== Ubuntu Security Notice USN-3179-1 January 25, 2017 openjdk-8 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.10 - Ubuntu 16.04 LTS Summary: Several security issues were fixed in OpenJDK 8. Software Description: - openjdk-8: Open Source Java implementation Details: Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. This update moves those algorithms to the legacy algorithm set and causes them to be used only if no non-legacy algorithms can be negotiated. (CVE-2016-2183) It was discovered that OpenJDK accepted ECSDA signatures using non-canonical DER encoding. An attacker could use this to modify or expose sensitive data. (CVE-2016-5546) It was discovered that OpenJDK did not properly verify object identifier (OID) length when reading Distinguished Encoding Rules (DER) records, as used in x.509 certificates and elsewhere. An attacker could use this to cause a denial of service (memory consumption). (CVE-2016-5547) It was discovered that covert timing channel vulnerabilities existed in the DSA and ECDSA implementations in OpenJDK. A remote attacker could use this to expose sensitive information. (CVE-2016-5548, CVE-2016-5549) It was discovered that the URLStreamHandler class in OpenJDK did not properly parse user information from a URL. A remote attacker could use this to expose sensitive information. (CVE-2016-5552) It was discovered that the URLClassLoader class in OpenJDK did not properly check access control context when downloading class files. A remote attacker could use this to expose sensitive information. (CVE-2017-3231) It was discovered that the Remote Method Invocation (RMI) implementation in OpenJDK performed deserialization of untrusted inputs. A remote attacker could use this to execute arbitrary code. (CVE-2017-3241) It was discovered that the Java Authentication and Authorization Service (JAAS) component of OpenJDK did not properly perform user search LDAP queries. An attacker could use a specially constructed LDAP entry to expose or modify sensitive information. (CVE-2017-3252) It was discovered that the PNGImageReader class in OpenJDK did not properly handle iTXt and zTXt chunks. An attacker could use this to cause a denial of service (memory consumption). (CVE-2017-3253) It was discovered that integer overflows existed in the SocketInputStream and SocketOutputStream classes of OpenJDK. An attacker could use this to expose sensitive information. (CVE-2017-3261) It was discovered that the atomic field updaters in the java.util.concurrent.atomic package in OpenJDK did not properly restrict access to protected field members. An attacker could use this to specially craft a Java application or applet that could bypass Java sandbox restrictions. (CVE-2017-3272) It was discovered that a vulnerability existed in the class construction implementation in OpenJDK. An attacker could use this to specially craft a Java application or applet that could bypass Java sandbox restrictions. (CVE-2017-3289) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: openjdk-8-jdk 8u121-b13-0ubuntu1.16.10.2 openjdk-8-jdk-headless 8u121-b13-0ubuntu1.16.10.2 openjdk-8-jre 8u121-b13-0ubuntu1.16.10.2 openjdk-8-jre-headless 8u121-b13-0ubuntu1.16.10.2 openjdk-8-jre-jamvm 8u121-b13-0ubuntu1.16.10.2 openjdk-8-jre-zero 8u121-b13-0ubuntu1.16.10.2 Ubuntu 16.04 LTS: openjdk-8-jdk 8u121-b13-0ubuntu1.16.04.2 openjdk-8-jdk-headless 8u121-b13-0ubuntu1.16.04.2 openjdk-8-jre 8u121-b13-0ubuntu1.16.04.2 openjdk-8-jre-headless 8u121-b13-0ubuntu1.16.04.2 openjdk-8-jre-jamvm 8u121-b13-0ubuntu1.16.04.2 openjdk-8-jre-zero 8u121-b13-0ubuntu1.16.04.2 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.1-ibm security update Advisory ID: RHSA-2017:0336-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0336.html Issue date: 2017-02-28 CVE Names: CVE-2016-2183 CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5549 CVE-2016-5552 CVE-2017-3231 CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3259 CVE-2017-3261 CVE-2017-3272 CVE-2017-3289 ===================================================================== 1. Summary: An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64 Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64 3. Description: IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP1. Security Fix(es): * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1413554 - CVE-2017-3272 OpenJDK: insufficient protected field access checks in atomic field updaters (Libraries, 8165344) 1413562 - CVE-2017-3289 OpenJDK: insecure class construction (Hotspot, 8167104) 1413583 - CVE-2017-3253 OpenJDK: imageio PNGImageReader failed to honor ignoreMetadata for iTXt and zTXt chunks (2D, 8166988) 1413653 - CVE-2017-3261 OpenJDK: integer overflow in SocketOutputStream boundary check (Networking, 8164147) 1413717 - CVE-2017-3231 OpenJDK: URLClassLoader insufficient access control checks (Networking, 8151934) 1413764 - CVE-2016-5547 OpenJDK: missing ObjectIdentifier length check (Libraries, 8168705) 1413882 - CVE-2016-5552 OpenJDK: incorrect URL parsing in URLStreamHandler (Networking, 8167223) 1413906 - CVE-2017-3252 OpenJDK: LdapLoginModule incorrect userDN extraction (JAAS, 8161743) 1413911 - CVE-2016-5546 OpenJDK: incorrect ECDSA signature extraction from the DER input (Libraries, 8168714) 1413920 - CVE-2016-5548 OpenJDK: DSA implementation timing attack (Libraries, 8168728) 1413923 - CVE-2016-5549 OpenJDK: ECDSA implementation timing attack (Libraries, 8168724) 1413955 - CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802) 1414163 - CVE-2017-3259 Oracle JDK: unspecified vulnerability fixed in 6u141, 7u131, and 8u121 (Deployment) 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.i686.rpm x86_64: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): x86_64: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.i686.rpm ppc64: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.ppc64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.ppc64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.ppc64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.1.el6_8.ppc64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.ppc64.rpm s390x: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.s390x.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.s390x.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.s390x.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.1.el6_8.s390x.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.1.el6_8.i686.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.i686.rpm x86_64: java-1.7.1-ibm-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.1.el6_8.x86_64.rpm Red Hat Enterprise Linux Client Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.i686.rpm java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.2.el7.x86_64.rpm Red Hat Enterprise Linux ComputeNode Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.i686.rpm java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.2.el7.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 7): ppc64: java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.ppc.rpm java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.ppc64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.2.el7.ppc64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.ppc.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.ppc64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.2.el7.ppc64.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.2.el7.ppc.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.2.el7.ppc64.rpm ppc64le: java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.ppc64le.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.2.el7.ppc64le.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.ppc64le.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.2.el7.ppc64le.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.2.el7.ppc64le.rpm s390x: java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.s390.rpm java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.s390x.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.2.el7.s390x.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.s390.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.s390x.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.2.el7.s390x.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.2.el7.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.i686.rpm java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.2.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 7): x86_64: java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.i686.rpm java-1.7.1-ibm-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-demo-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.i686.rpm java-1.7.1-ibm-devel-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-jdbc-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-plugin-1.7.1.4.1-1jpp.2.el7.x86_64.rpm java-1.7.1-ibm-src-1.7.1.4.1-1jpp.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-2183 https://access.redhat.com/security/cve/CVE-2016-5546 https://access.redhat.com/security/cve/CVE-2016-5547 https://access.redhat.com/security/cve/CVE-2016-5548 https://access.redhat.com/security/cve/CVE-2016-5549 https://access.redhat.com/security/cve/CVE-2016-5552 https://access.redhat.com/security/cve/CVE-2017-3231 https://access.redhat.com/security/cve/CVE-2017-3241 https://access.redhat.com/security/cve/CVE-2017-3252 https://access.redhat.com/security/cve/CVE-2017-3253 https://access.redhat.com/security/cve/CVE-2017-3259 https://access.redhat.com/security/cve/CVE-2017-3261 https://access.redhat.com/security/cve/CVE-2017-3272 https://access.redhat.com/security/cve/CVE-2017-3289 https://access.redhat.com/security/updates/classification/#critical https://developer.ibm.com/javasdk/support/security-vulnerabilities/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYtT+VXlSAg2UNWIIRAlsUAKC/YVMsT2MtkXqUC3tLLKKz44xx5gCgwDER EwgATWRMA0TtHHTG3g1+yS8= =8vwr -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . The References section of this erratum contains a download link (you must log in to download the update). Red Hat Quay is a secure, private container registry that builds, analyzes and distributes container images. It provides a high level of automation and customization. (CVE-2016-2183) Bug Fix(es): * Running Quay in config mode now works in a disconnected option which doesn't require pulling resources from the Internet. * Quay's security scan endpoint is now enabled at startup for viewing results of Clair container image scans. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Description: Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release provides an update to httpd and OpenSSL. The updates are documented in the Release Notes document linked to in the References. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. This release of JBoss Enterprise Application Platform 6.4.18 Natives serves as a replacement of the JBoss Enterprise Application Platform 6.4.16 Natives and includes bug fixes which are documented in the Release Notes document linked to in the References. All users of Red Hat JBoss Enterprise Application Platform 6.4 Natives are advised to upgrade to these updated packages. Security Fix(es): * It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) * A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798) Red Hat would like to thank OpenVPN for reporting CVE-2016-2183 and Hanno BAPck for reporting CVE-2017-9798. Upstream acknowledges Karthikeyan Bhargavan (Inria) and GaA<<tan Leurent (Inria) as the original reporters of CVE-2016-2183. Bug Fix(es): * CRL checking of very large CRLs fails with OpenSSL 1.0.2 (BZ#1508880) * mod_cluster segfaults in process_info() due to wrongly generated assembler instruction movslq (BZ#1508884) * Corruption in nodestatsmem in multiple core dumps but in different functions of each core dump. (BZ#1508885) 4. For the update to take effect, all services linked to the OpenSSL library must be restarted, or the system rebooted. The JBoss server process must be restarted for the update to take effect. Bugs fixed (https://bugzilla.redhat.com/): 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 1470748 - CVE-2017-9788 httpd: Uninitialized memory reflection in mod_auth_digest 1490344 - CVE-2017-9798 httpd: Use-after-free by limiting unregistered HTTP method (Optionsbleed) 1508880 - Unable to load large CRL openssl problem 1508884 - mod_cluster segfaults in process_info() due to wrongly generated assembler instruction movslq 1508885 - SegFault due to corrupt nodestatsmem 6. (CVE-2016-2183) 4. Bugs fixed (https://bugzilla.redhat.com/): 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) 6

Trust: 2.52

sources: NVD: CVE-2016-2183 // JVNDB: JVNDB-2016-004511 // VULHUB: VHN-91002 // PACKETSTORM: 159431 // PACKETSTORM: 141354 // PACKETSTORM: 140977 // PACKETSTORM: 140718 // PACKETSTORM: 141352 // PACKETSTORM: 145017 // PACKETSTORM: 152978 // PACKETSTORM: 145018 // PACKETSTORM: 141555

AFFECTED PRODUCTS

vendor:	redhat	model:	enterprise linux	scope:	eq	version:	7.0	Trust: 1.0
vendor:	python	model:	python	scope:	gte	version:	2.7.0	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1p	Trust: 1.0
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	6.0	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1f	Trust: 1.0
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	9.7.0-006	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	gte	version:	6.0.0	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	gte	version:	0.10.0	Trust: 1.0
vendor:	redhat	model:	jboss web server	scope:	eq	version:	3.0	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1l	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1d	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1c	Trust: 1.0
vendor:	python	model:	python	scope:	lt	version:	3.4.7	Trust: 1.0
vendor:	redhat	model:	enterprise linux	scope:	eq	version:	5.0	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.2d	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1g	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.2b	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.2c	Trust: 1.0
vendor:	python	model:	python	scope:	lt	version:	2.7.13	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1q	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	lt	version:	0.10.47	Trust: 1.0
vendor:	oracle	model:	database	scope:	eq	version:	11.2.0.4	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1t	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.2e	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	lt	version:	4.1.2	Trust: 1.0
vendor:	cisco	model:	content security management appliance	scope:	eq	version:	9.6.6-068	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	gte	version:	4.0.0	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1b	Trust: 1.0
vendor:	redhat	model:	jboss enterprise application platform	scope:	eq	version:	6.0.0	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	lt	version:	0.12.16	Trust: 1.0
vendor:	python	model:	python	scope:	gte	version:	3.4.0	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	gte	version:	0.12.0	Trust: 1.0
vendor:	python	model:	python	scope:	gte	version:	3.5.0	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.2h	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1h	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	lt	version:	4.6.0	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	gte	version:	4.2.0	Trust: 1.0
vendor:	nodejs	model:	node.js	scope:	lt	version:	6.7.0	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1j	Trust: 1.0
vendor:	oracle	model:	database	scope:	eq	version:	12.1.0.2	Trust: 1.0
vendor:	redhat	model:	jboss enterprise web server	scope:	eq	version:	2.0.0	Trust: 1.0
vendor:	python	model:	python	scope:	lt	version:	3.5.3	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1o	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1e	Trust: 1.0
vendor:	redhat	model:	jboss enterprise web server	scope:	eq	version:	1.0.0	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1a	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.2f	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1i	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1r	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1k	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1n	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.2a	Trust: 1.0
vendor:	openssl	model:	openssl	scope:	eq	version:	1.0.1m	Trust: 1.0
vendor:	日本電気	model:	webotx application server	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco コンテンツセキュリティ管理アプライアンス	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus service architect	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus developer standard	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	enterpriseidentitymanager	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	jp1/it desktop management	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	hitachi application server for developers	scope:	-	version:	-	Trust: 0.8
vendor:	レッドハット	model:	red hat jboss web server	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	ix2000シリーズ	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus service platform	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus application server standard	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	esmpro/serveragentservice	scope:	-	version:	-	Trust: 0.8
vendor:	レッドハット	model:	red hat enterprise linux	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	ix3000シリーズ	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	cosminexus http server	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	enterprisedirectoryserver	scope:	-	version:	-	Trust: 0.8
vendor:	python	model:	python	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	ix1000シリーズ	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	hitachi infrastructure analytics advisor	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	job management partner 1/it desktop management	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	express5800	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus application server smart edition	scope:	-	version:	-	Trust: 0.8
vendor:	シスコシステムズ	model:	cisco asyncos	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	webotx portal	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	secureware/pkiアプリケーション開発キット	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus application server	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus developer light	scope:	-	version:	-	Trust: 0.8
vendor:	openssl	model:	openssl	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus application server enterprise	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	hitachi application server	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	webotx enterprise service bus	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus primary server	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	esmpro/serveragent	scope:	-	version:	-	Trust: 0.8
vendor:	レッドハット	model:	jboss enterprise web server	scope:	-	version:	-	Trust: 0.8
vendor:	日本電気	model:	capssuite	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	hitachi web server	scope:	-	version:	-	Trust: 0.8
vendor:	日立	model:	ucosminexus developer	scope:	-	version:	-	Trust: 0.8
vendor:	レッドハット	model:	jboss enterprise application platform	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2016-004511 // NVD: CVE-2016-2183

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-2183
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-2183
value:	MEDIUM
Trust: 0.8
VULHUB:	VHN-91002
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2016-2183
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-91002
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-2183
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2016-2183
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-91002 // JVNDB: JVNDB-2016-004511 // NVD: CVE-2016-2183

PROBLEMTYPE DATA

problemtype:	CWE-200	Trust: 1.1
problemtype:	information leak (CWE-200) [NVD evaluation ]	Trust: 0.8

sources: VULHUB: VHN-91002 // JVNDB: JVNDB-2016-004511 // NVD: CVE-2016-2183

THREAT TYPE

remote

Trust: 0.2

sources: PACKETSTORM: 140977 // PACKETSTORM: 140718

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-91002

PATCH

title:

hitachi-sec-2017-119

url:

http://www-01.ibm.com/support/docview.wss?uid=swg21991482

Trust: 0.8

sources: JVNDB: JVNDB-2016-004511

EXTERNAL IDS

db:	NVD	id:	CVE-2016-2183	Trust: 3.6
db:	ICS CERT	id:	ICSMA-18-058-02	Trust: 1.9
db:	PACKETSTORM	id:	142756	Trust: 1.1
db:	SECTRACK	id:	1036696	Trust: 1.1
db:	PULSESECURE	id:	SA40312	Trust: 1.1
db:	BID	id:	92630	Trust: 1.1
db:	BID	id:	95568	Trust: 1.1
db:	TENABLE	id:	TNS-2017-09	Trust: 1.1
db:	TENABLE	id:	TNS-2016-21	Trust: 1.1
db:	TENABLE	id:	TNS-2016-20	Trust: 1.1
db:	TENABLE	id:	TNS-2016-16	Trust: 1.1
db:	MCAFEE	id:	SB10197	Trust: 1.1
db:	MCAFEE	id:	SB10310	Trust: 1.1
db:	MCAFEE	id:	SB10186	Trust: 1.1
db:	MCAFEE	id:	SB10215	Trust: 1.1
db:	MCAFEE	id:	SB10171	Trust: 1.1
db:	SIEMENS	id:	SSA-412672	Trust: 1.1
db:	JUNIPER	id:	JSA10759	Trust: 1.1
db:	EXPLOIT-DB	id:	42091	Trust: 1.1
db:	ICS CERT	id:	ICSA-22-160-01	Trust: 0.8
db:	ICS CERT	id:	ICSA-21-075-02	Trust: 0.8
db:	JVN	id:	JVNVU91550327	Trust: 0.8
db:	JVN	id:	JVNVU98667810	Trust: 0.8
db:	JVN	id:	JVNVU95298925	Trust: 0.8
db:	JVNDB	id:	JVNDB-2016-004511	Trust: 0.8
db:	PACKETSTORM	id:	141352	Trust: 0.2
db:	PACKETSTORM	id:	140718	Trust: 0.2
db:	PACKETSTORM	id:	141354	Trust: 0.2
db:	PACKETSTORM	id:	141555	Trust: 0.2
db:	PACKETSTORM	id:	145017	Trust: 0.2
db:	PACKETSTORM	id:	152978	Trust: 0.2
db:	PACKETSTORM	id:	140977	Trust: 0.2
db:	PACKETSTORM	id:	145018	Trust: 0.2
db:	PACKETSTORM	id:	159431	Trust: 0.2
db:	PACKETSTORM	id:	161320	Trust: 0.1
db:	PACKETSTORM	id:	148410	Trust: 0.1
db:	PACKETSTORM	id:	140708	Trust: 0.1
db:	PACKETSTORM	id:	143970	Trust: 0.1
db:	PACKETSTORM	id:	150303	Trust: 0.1
db:	PACKETSTORM	id:	143244	Trust: 0.1
db:	PACKETSTORM	id:	141100	Trust: 0.1
db:	PACKETSTORM	id:	140473	Trust: 0.1
db:	PACKETSTORM	id:	141111	Trust: 0.1
db:	PACKETSTORM	id:	144865	Trust: 0.1
db:	PACKETSTORM	id:	143549	Trust: 0.1
db:	PACKETSTORM	id:	140725	Trust: 0.1
db:	PACKETSTORM	id:	144869	Trust: 0.1
db:	PACKETSTORM	id:	142340	Trust: 0.1
db:	PACKETSTORM	id:	156451	Trust: 0.1
db:	PACKETSTORM	id:	140084	Trust: 0.1
db:	PACKETSTORM	id:	147581	Trust: 0.1
db:	PACKETSTORM	id:	154650	Trust: 0.1
db:	PACKETSTORM	id:	141353	Trust: 0.1
db:	CNNVD	id:	CNNVD-201608-448	Trust: 0.1
db:	VULHUB	id:	VHN-91002	Trust: 0.1

sources: VULHUB: VHN-91002 // PACKETSTORM: 159431 // PACKETSTORM: 141354 // PACKETSTORM: 140977 // PACKETSTORM: 140718 // PACKETSTORM: 141352 // PACKETSTORM: 145017 // PACKETSTORM: 152978 // PACKETSTORM: 145018 // PACKETSTORM: 141555 // JVNDB: JVNDB-2016-004511 // NVD: CVE-2016-2183

REFERENCES

url:	https://sweet32.info/	Trust: 1.9
url:	https://access.redhat.com/security/cve/cve-2016-2183	Trust: 1.8
url:	http://rhn.redhat.com/errata/rhsa-2017-0336.html	Trust: 1.2
url:	http://rhn.redhat.com/errata/rhsa-2017-0337.html	Trust: 1.2
url:	http://rhn.redhat.com/errata/rhsa-2017-0462.html	Trust: 1.2
url:	https://access.redhat.com/errata/rhsa-2017:3239	Trust: 1.2
url:	https://access.redhat.com/errata/rhsa-2017:3240	Trust: 1.2
url:	https://access.redhat.com/errata/rhsa-2019:1245	Trust: 1.2
url:	http://www.ubuntu.com/usn/usn-3179-1	Trust: 1.2
url:	http://www.ubuntu.com/usn/usn-3194-1	Trust: 1.2
url:	https://access.redhat.com/articles/2548661	Trust: 1.2
url:	http://www.securitytracker.com/id/1036696	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/539885/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/archive/1/539885/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/archive/1/540129/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/540341/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/archive/1/540341/100/0/threaded	Trust: 1.1
url:	http://seclists.org/fulldisclosure/2017/may/105	Trust: 1.1
url:	http://seclists.org/fulldisclosure/2017/jul/31	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/541104/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/archive/1/541104/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/542005/100/0/threaded	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/archive/1/542005/100/0/threaded	Trust: 1.1
url:	https://seclists.org/bugtraq/2018/nov/21	Trust: 1.1
url:	https://www.exploit-db.com/exploits/42091/	Trust: 1.1
url:	http://www.securityfocus.com/bid/92630	Trust: 1.1
url:	http://www.securityfocus.com/bid/95568	Trust: 1.1
url:	http://www.debian.org/security/2016/dsa-3673	Trust: 1.1
url:	https://security.gentoo.org/glsa/201612-16	Trust: 1.1
url:	https://security.gentoo.org/glsa/201701-65	Trust: 1.1
url:	https://security.gentoo.org/glsa/201707-01	Trust: 1.1
url:	http://rhn.redhat.com/errata/rhsa-2017-0338.html	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2017:1216	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2017:2708	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2017:2709	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2017:2710	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2017:3113	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2017:3114	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2018:2123	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2019:2859	Trust: 1.1
url:	https://access.redhat.com/errata/rhsa-2020:0451	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00023.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00028.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html	Trust: 1.1
url:	http://www.ubuntu.com/usn/usn-3087-1	Trust: 1.1
url:	http://www.ubuntu.com/usn/usn-3087-2	Trust: 1.1
url:	http://www.ubuntu.com/usn/usn-3198-1	Trust: 1.1
url:	http://www.ubuntu.com/usn/usn-3270-1	Trust: 1.1
url:	http://www.ubuntu.com/usn/usn-3372-1	Trust: 1.1
url:	https://www.ietf.org/mail-archive/web/tls/current/msg04560.html	Trust: 1.1
url:	http://packetstormsecurity.com/files/142756/ibm-informix-dynamic-server-dll-injection-code-execution.html	Trust: 1.1
url:	http://www-01.ibm.com/support/docview.wss?uid=nas8n1021697	Trust: 1.1
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21991482	Trust: 1.1
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21995039	Trust: 1.1
url:	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170322-01-openssl-en	Trust: 1.1
url:	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	Trust: 1.1
url:	http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	Trust: 1.1
url:	http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	Trust: 1.1
url:	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	Trust: 1.1
url:	http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html	Trust: 1.1
url:	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html	Trust: 1.1
url:	http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.html	Trust: 1.1
url:	http://www.splunk.com/view/sp-caaapsv	Trust: 1.1
url:	http://www.splunk.com/view/sp-caaapue	Trust: 1.1
url:	https://blog.cryptographyengineering.com/2016/08/24/attack-of-week-64-bit-ciphers-in-tls/	Trust: 1.1
url:	https://bto.bluecoat.com/security-advisory/sa133	Trust: 1.1
url:	https://bugzilla.redhat.com/show_bug.cgi?id=1369383	Trust: 1.1
url:	https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf	Trust: 1.1
url:	https://github.com/ssllabs/ssllabs-scan/issues/387#issuecomment-242514633	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05302448	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05309984	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05323116	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05349499	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05356388	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05369403	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05369415	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05385680	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05390722	Trust: 1.1
url:	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docdisplay?docid=emr_na-c05390849	Trust: 1.1
url:	https://ics-cert.us-cert.gov/advisories/icsma-18-058-02	Trust: 1.1
url:	https://kb.pulsesecure.net/articles/pulse_security_advisories/sa40312	Trust: 1.1
url:	https://nakedsecurity.sophos.com/2016/08/25/anatomy-of-a-cryptographic-collision-the-sweet32-attack/	Trust: 1.1
url:	https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/	Trust: 1.1
url:	https://security.netapp.com/advisory/ntap-20160915-0001/	Trust: 1.1
url:	https://security.netapp.com/advisory/ntap-20170119-0001/	Trust: 1.1
url:	https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/km03158613	Trust: 1.1
url:	https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/km03286178	Trust: 1.1
url:	https://support.f5.com/csp/article/k13167034	Trust: 1.1
url:	https://wiki.opendaylight.org/view/security_advisories	Trust: 1.1
url:	https://www.arista.com/en/support/advisories-notices/security-advisories/1749-security-advisory-24	Trust: 1.1
url:	https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008	Trust: 1.1
url:	https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2016/august/new-practical-attacks-on-64-bit-block-ciphers-3des-blowfish/	Trust: 1.1
url:	https://www.openssl.org/blog/blog/2016/08/24/sweet32/	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuapr2020.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujan2020.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpujul2020.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuoct2020.html	Trust: 1.1
url:	https://www.oracle.com/security-alerts/cpuoct2021.html	Trust: 1.1
url:	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Trust: 1.1
url:	https://www.sigsac.org/ccs/ccs2016/accepted-papers/	Trust: 1.1
url:	https://www.tenable.com/security/tns-2016-16	Trust: 1.1
url:	https://www.tenable.com/security/tns-2016-20	Trust: 1.1
url:	https://www.tenable.com/security/tns-2016-21	Trust: 1.1
url:	https://www.tenable.com/security/tns-2017-09	Trust: 1.1
url:	https://www.teskalabs.com/blog/teskalabs-bulletin-160826-seacat-sweet32-issue	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00003.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00032.html	Trust: 1.1
url:	http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00032.html	Trust: 1.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05390722	Trust: 1.0
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10186	Trust: 1.0
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05302448	Trust: 1.0
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbgn03765en_us	Trust: 1.0
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10197	Trust: 1.0
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10310	Trust: 1.0
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05385680	Trust: 1.0
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10171	Trust: 1.0
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbux03725en_us	Trust: 1.0
url:	https://www.vicarius.io/vsociety/posts/cve-2016-2183-detection-sweet32-vulnerability	Trust: 1.0
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05369415	Trust: 1.0
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05390849	Trust: 1.0
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05369403	Trust: 1.0
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10215	Trust: 1.0
url:	https://www.vicarius.io/vsociety/posts/cve-2016-2183-mitigate-sweet32-vulnerability	Trust: 1.0
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10759	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2016-2183	Trust: 0.9
url:	http://jvn.jp/vu/jvnvu98667810/index.html	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu91550327/	Trust: 0.8
url:	https://jvn.jp/vu/jvnvu95298925/	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-2183	Trust: 0.8
url:	https://www.us-cert.gov/ics/advisories/icsma-18-058-02	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02	Trust: 0.8
url:	https://www.cisa.gov/uscert/ics/advisories/icsa-22-160-01	Trust: 0.8
url:	http://www.bizmobile.co.jp/news_02.php?id=4069&nc=1	Trust: 0.8
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.7
url:	https://bugzilla.redhat.com/):	Trust: 0.7
url:	https://access.redhat.com/security/team/contact/	Trust: 0.7
url:	https://access.redhat.com/articles/11258	Trust: 0.5
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3253	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3289	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5546	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3261	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5547	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3241	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3231	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5552	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3252	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3272	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5548	Trust: 0.4
url:	https://access.redhat.com/security/team/key/	Trust: 0.4
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2016-5549	Trust: 0.3
url:	https://developer.ibm.com/javasdk/support/security-vulnerabilities/	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2017-3231	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2017-3259	Trust: 0.2
url:	https://access.redhat.com/security/updates/classification/#critical	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2016-5548	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2016-5549	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-3253	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-3252	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2016-5547	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-3259	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2016-5552	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-3272	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-3241	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2016-5546	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-3261	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-3289	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-9798	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9798	Trust: 0.2
url:	https://access.redhat.com/articles/3229231	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2017-9788	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2017-9788	Trust: 0.2
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.2
url:	http://kb.juniper.net/infocenter/index?page=content&id=jsa10759	Trust: 0.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05302448	Trust: 0.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05369403	Trust: 0.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05369415	Trust: 0.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05385680	Trust: 0.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05390722	Trust: 0.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-c05390849	Trust: 0.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbgn03765en_us	Trust: 0.1
url:	https://h20566.www2.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbux03725en_us	Trust: 0.1
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10171	Trust: 0.1
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10186	Trust: 0.1
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10197	Trust: 0.1
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10215	Trust: 0.1
url:	https://kc.mcafee.com/corporate/index?page=content&id=sb10310	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2020:3842	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.5/updating/updating-cluster	Trust: 0.1
url:	https://docs.openshift.com/container-platform/4.5/release_notes/ocp-4-5-rel	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/openjdk-7/7u121-2.6.8-1ubuntu0.14.04.3	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/openjdk-8/8u121-b13-0ubuntu1.16.04.2	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/openjdk-8/8u121-b13-0ubuntu1.16.10.2	Trust: 0.1
url:	https://access.redhat.com/documentation/en/jboss-enterprise-application-platform/	Trust: 0.1
url:	https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=appplatform&downloadtype=securitypatches&version=6.4	Trust: 0.1
url:	https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/	Trust: 0.1

CREDITS

Red Hat

Trust: 0.7

sources: PACKETSTORM: 159431 // PACKETSTORM: 141354 // PACKETSTORM: 141352 // PACKETSTORM: 145017 // PACKETSTORM: 152978 // PACKETSTORM: 145018 // PACKETSTORM: 141555

SOURCES

db:	VULHUB	id:	VHN-91002
db:	PACKETSTORM	id:	159431
db:	PACKETSTORM	id:	141354
db:	PACKETSTORM	id:	140977
db:	PACKETSTORM	id:	140718
db:	PACKETSTORM	id:	141352
db:	PACKETSTORM	id:	145017
db:	PACKETSTORM	id:	152978
db:	PACKETSTORM	id:	145018
db:	PACKETSTORM	id:	141555
db:	JVNDB	id:	JVNDB-2016-004511
db:	NVD	id:	CVE-2016-2183

LAST UPDATE DATE

2025-07-13T22:44:13.305000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-91002	date:	2023-02-12T00:00:00
db:	JVNDB	id:	JVNDB-2016-004511	date:	2022-06-13T05:39:00
db:	NVD	id:	CVE-2016-2183	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-91002	date:	2016-09-01T00:00:00
db:	PACKETSTORM	id:	159431	date:	2020-10-01T14:47:21
db:	PACKETSTORM	id:	141354	date:	2017-02-28T14:19:17
db:	PACKETSTORM	id:	140977	date:	2017-02-08T19:22:00
db:	PACKETSTORM	id:	140718	date:	2017-01-25T21:53:38
db:	PACKETSTORM	id:	141352	date:	2017-02-28T14:19:01
db:	PACKETSTORM	id:	145017	date:	2017-11-17T00:10:36
db:	PACKETSTORM	id:	152978	date:	2019-05-20T16:39:06
db:	PACKETSTORM	id:	145018	date:	2017-11-17T00:10:45
db:	PACKETSTORM	id:	141555	date:	2017-03-09T17:02:00
db:	JVNDB	id:	JVNDB-2016-004511	date:	2016-09-02T00:00:00
db:	NVD	id:	CVE-2016-2183	date:	2016-09-01T00:59:00.137