- Community Home
- >
- Servers and Operating Systems
- >
- HPE ProLiant
- >
- Server Management - Systems Insight Manager
- >
- HPE SMH 7.5.5 vulnerable to CVE-2016-2107
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2016 10:04 AM
05-31-2016 10:04 AM
HPE SMH 7.5.5 vulnerable to CVE-2016-2107
HPE SMH 7.5.5 contains OpenSSL version 1.0.2g which is vulnerable to CVE-2016-2107. When will embedded OpenSSL be updated to 1.0.2h? Or, will a patch be released to address this vulnerability?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
Vendor details:
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) ====================================================== Severity: High A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. OpenSSL 1.0.2 users should upgrade to 1.0.2h
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2016 12:29 AM
06-01-2016 12:29 AM
Re: HPE SMH 7.5.5 vulnerable to CVE-2016-2107
The latest SMH is the 7.5.5.6, the strange thing is that the release date of this file is in the future. (august 15th)
Still the 1.0.2G version, you could try to increase security by changing the IP restricted Login to the range that you connect from, so not the whole world. You can also change binding if you have more than one Interface to have SMH to listen to the OOB interface and not production. All these don't fix the problem but if you can't access the SMH you can't use the exploit.
- PHP to version 5.5.31
- Curl to version 7.47.0
- OpenSSL to version 1.0.2g
- Libxml2 to version libxml2-2.9.
Andrew