This article applies to BoKS Manager 6.7.0, 6.7.1 and 7.0.0
CVE-2016-2107 - The AES-NI implementation in OpenSSL 1.0.1 before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive clear text information via a padding-oracle attack against an AES CBC session.
A man-in-the-middle attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI. The vulnerability only affects Intel/AMD platforms that support AES-NI instructions for hardware crypto acceleration.
Resolution / Workaround
Apply hotfix HFBM-0118 (applies to BoKS 6.7.0 and 6.7.1) and/or hotfix HFBM-0119 (applies to BoKS 7.0), which are available for download from the HelpSystems Community Portal.
These hotfixes include an updated version of the OpenSSL library used in BoKS to make BoKS TLS/SSL servers resistant to this type of attack.
Still have questions? We can help. Submit a case to Technical Support.