CVE-2016-2183
high
CVSS v3
7.5
CVSS v4 NEW
โ
VIR risk
7.5
Description
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
Predictions
Exploit likelihood
83%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| arch | fixed | 1:1.0.2.i-1 | |
| rhel | 5.0 | affected | |
| rhel | 6.0 | affected | |
| rhel | 7.0 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | jboss_enterprise_application_platform | 6.0.0 | |
| redhat | jboss_enterprise_web_server | 1.0.0 | |
| redhat | jboss_enterprise_web_server | 2.0.0 | |
| redhat | jboss_web_server | 3.0 | |
| python | python | {"startIncluding":"2.7.0","endExcluding":"2.7.13"} | 2.7.13 |
| cisco | content_security_management_appliance | 9.6.6-068 | |
| cisco | content_security_management_appliance | 9.7.0-006 | |
| openssl | openssl | 1.0.1a | |
| openssl | openssl | 1.0.1b | |
| openssl | openssl | 1.0.1c | |
| openssl | openssl | 1.0.1d | |
| openssl | openssl | 1.0.1e | |
| openssl | openssl | 1.0.1f | |
| openssl | openssl | 1.0.1g | |
| openssl | openssl | 1.0.1h | |
| openssl | openssl | 1.0.1i | |
| openssl | openssl | 1.0.1j | |
| openssl | openssl | 1.0.1k | |
| openssl | openssl | 1.0.1l | |
| openssl | openssl | 1.0.1m | |
| openssl | openssl | 1.0.1n | |
| openssl | openssl | 1.0.1o | |
| openssl | openssl | 1.0.1p | |
| openssl | openssl | 1.0.1q | |
| openssl | openssl | 1.0.1r | |
| openssl | openssl | 1.0.1t | |
| openssl | openssl | 1.0.2a | |
| openssl | openssl | 1.0.2b | |
| openssl | openssl | 1.0.2c | |
| openssl | openssl | 1.0.2d | |
| openssl | openssl | 1.0.2e | |
| openssl | openssl | 1.0.2f | |
| openssl | openssl | 1.0.2h | |
| oracle | database | 11.2.0.4 | |
| oracle | database | 12.1.0.2 | |
| nodejs | node.js | {"startIncluding":"0.10.0","endExcluding":"0.10.47"} | 0.10.47 |
| python | python | {"startIncluding":"3.4.0","endExcluding":"3.4.7"} | 3.4.7 |
| python | python | {"startIncluding":"3.5.0","endExcluding":"3.5.3"} | 3.5.3 |
| nodejs | node.js | {"startIncluding":"0.12.0","endExcluding":"0.12.16"} | 0.12.16 |
| nodejs | node.js | {"startIncluding":"4.0.0","endExcluding":"4.1.2"} | 4.1.2 |
| nodejs | node.js | {"startIncluding":"4.2.0","endExcluding":"4.6.0"} | 4.6.0 |
| nodejs | node.js | {"startIncluding":"6.0.0","endExcluding":"6.7.0"} | 6.7.0 |
References
- https://www.suse.com/security/cve/CVE-2016-2183.html
- https://security.archlinux.org/ASA-201609-24
- https://security.archlinux.org/ASA-201609-23
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.html
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.html
- http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2017-01/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2017-02/msg00032.html
- http://lists.opensuse.org/opensuse-security-announce/2017-05/msg00076.html
- http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00032.html
- http://packetstormsecurity.com/files/142756/IBM-Informix-Dynamic-Server-DLL-Injection-Code-Execution.html
- http://rhn.redhat.com/errata/RHSA-2017-0336.html
CWEs
CWE-200
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.