AnsweredAssumed Answered

CVE-2016-2107 potential false positive

Question asked by Royce Williams on Feb 28, 2017
Latest reply on Mar 1, 2017 by Royce Williams

Both of these sites are detected as being vulnerable to CVE-2016-2107:


However, using RUB-NDS's TLS-Attacker with this syntax:


java -jar TLS-Attacker-1.2.jar padding_oracle -connect hostname:443


... only the second one appears to be. (Note that is expired, but this should be unrelated to the test for CVE-2016-2017)


$ grep vulnerable *.out [main] CONSOLE de.rub.nds.tlsattacker.attacks.impl.PaddingOracleAttack -, NOT vulnerable, one message found: [ [main] CONSOLE de.rub.nds.tlsattacker.attacks.impl.PaddingOracleAttack -, Vulnerable (?), more messages found, recheck in debug mode: [


An admin of confirms that Apache on that system is linked to OpenSSL 1.0.1p, which should be patched for this vulnerability, and which is consistent with the TLS-Attacker output.