HPE SMH 7.5.5 contains OpenSSL version 1.0.2g which is vulnerable to CVE-2016-2107. When will embedded OpenSSL be updated to 1.0.2h? Or, will a patch be released to address this vulnerability?
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
Vendor details:
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107) ====================================================== Severity: High A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI. This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes. OpenSSL 1.0.2 users should upgrade to 1.0.2h