Vulnerability in OpenSSL (CVE-2016-2107, CVE-2013-0169)

ID OPENSSL:CVE-2016-2107,CVE-2013-0169
Type openssl
Reporter OpenSSL
Modified 2016-05-03T00:00:00


A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. Reported by Juraj Somorovsky.