Home / Companies / Cloudflare / Blog / Post Details
Content Deep Dive

Yet Another Padding Oracle in OpenSSL CBC Ciphersuites

Blog post from Cloudflare

Post Details
Company
Date Published
Author
Filippo Valsorda
Word Count
2,239
Company Posts That Month
14
Language
English
Hacker News Points
54
Post removed?
No
Summary

A new vulnerability has been discovered in OpenSSL/LibreSSL, specifically a padding oracle in CBC mode decryption. This issue is similar to the Lucky13 vulnerability and was found using TLS-Attacker tool developed by Juraj Somorovsky. The vulnerability affects servers with AES-NI instructions and can be exploited to recover at least 16 bytes of data sent repeatedly just before attacker-controlled data, such as HTTP Cookies. CloudFlare websites are protected from this vulnerability, but customers supporting only AES-CBC should upgrade their systems as soon as possible.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.