CVE-2016-0736: High severity Apple macOS High Sierra vulnerability

apache. Multiple issues were addressed by updating to version 2.4.27.

In Apache HTTP Server versions 2.4.0 to 2.4.23, modsessioncrypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.

— MITRE

It was found that session data/cookies presented to modsessioncrypto were not authenticated that can lead to deciphering or tampering with a padding oracle attack.

Affects version 2.4.x up to 2.4.23

External References:

https://httpd.apache.org/security/vulnerabilities24.html#2.4.25 https://www.redteam-pentesting.de/advisories/rt-sa-2016-001.txt

— Red Hat