Description
Cytrix has detected that the Version of Apache HTTP Server being used has a Cryptographic Issue (CWE-310).
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently, these deal with the use of encoding techniques, encryption libraries, and hashing algorithms.
Also known as CVE-2016-0736.
Attackers abuse the fact that mod_session_crypto is encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default) and there’s no selectable or builtin authenticated encryption.
This would allow attacker to initiate padding oracle attacks, specifically with CBC.
Recommendation
To fix CVE-2016-0736, upgrade the version of Apache HTTP Server being used to 2.4.25.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0736