CVE-2016-2183 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2016-2183?

CVE-2016-2183 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-2183?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Web Server, Redhat Jboss Web Server, Redhat Enterprise Linux, Python Python.

Vulnerability Description

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Jboss Enterprise Application Platform	6.0.0
Redhat	Jboss Enterprise Web Server	1.0.0
Redhat	Jboss Web Server	3.0
Redhat	Enterprise Linux	5.0
Python	Python	>= 2.7.0, < 2.7.13
Cisco	Content Security Management Appliance	9.6.6-068
Openssl	Openssl	1.0.1a
Oracle	Database	11.2.0.4
Nodejs	Node.Js	>= 0.10.0, < 0.10.47

Related Weaknesses (CWE)

CWE-200

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00003.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00023.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00028.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2016-2183?

CVE-2016-2183 is a vulnerability with a CVSS score of 7.5 (HIGH). The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for rem...

How severe is CVE-2016-2183?

CVE-2016-2183 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-2183?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Web Server, Redhat Jboss Web Server, Redhat Enterprise Linux, Python Python.