HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Server Management - Systems Insight Manager
Showing results for 
Search instead for 
Did you mean: 

HPE SMH 7.5.5 vulnerable to CVE-2016-2107

Occasional Contributor

HPE SMH 7.5.5 vulnerable to CVE-2016-2107

HPE SMH 7.5.5 contains OpenSSL version 1.0.2g which is vulnerable to CVE-2016-2107.  When will embedded OpenSSL be updated to 1.0.2h?  Or, will a patch be released to address this vulnerability?


Vendor details:

Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)

Severity: High

A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support

This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be in
constant time by making sure that always the same bytes are read and
compared against either the MAC or padding bytes. But it no longer
checked that there was enough data to have both the MAC and padding

OpenSSL 1.0.2 users should upgrade to 1.0.2h


Honored Contributor

Re: HPE SMH 7.5.5 vulnerable to CVE-2016-2107

The latest SMH is the, the strange thing is that the release date of this file is in the future. (august 15th)

Still the 1.0.2G version, you could try to increase security by changing the IP restricted Login to the range that you connect from, so not the whole world. You can also change binding if you have more than one Interface to have SMH to listen to the OOB interface and not production. All these don't fix the problem but if you can't access the SMH you can't use the exploit.


    • PHP to version 5.5.31
    • Curl to version 7.47.0
    • OpenSSL to version 1.0.2g
    • Libxml2 to version libxml2-2.9.
Kind regards,