CVE-2016-2107 is a padding oracle vulnerability in OpenSSL (<1.0.1t, <1.0.2h) affecting AES-NI CBC (Cipher Block Chaining) cipher suites. An improper validation of CBC padding, allows a MITM (Man In The Middle Attack) attacker to decrypt traffic.

Vulnerability Scans return the following against PAM nodes:

The Exploit-DB
Reference: CVE-2016-2107
Description: OpenSSL - Padding Oracle in AES-NI CBC MAC Check - The Exploit-DB Ref : 39768

exploitdb
Reference: CVE-2016-2107
Description: OpenSSL - Padding Oracle in AES-NI CBC MAC Check

Reference: CVE-2016-2107
Description: OpenSSL - Weak KDF (Key Derivation Function)

0day.today
Reference: CVE-2016-2107
Description: OpenSSL - Padding Oracle in AES-NI CBC MAC Check

github-exploits
Reference: CVE-2016-2107
Description: FiloSottile/CVE-2016-2107 exploit repository

Disable TLS 1.0 and 1.1 (PAM UI >> Configuration >> Security >> Access >> TLS v1.0/1.1 Connection Allowed), so we no longer use CBC ciphers and only use stronger GCM (Galois/Counter Mode)TLS 1.2 ciphers.  To see the exact ciphers we are using in TLS 1.2, please refer to screenshot below.

To see the exact ciphers being used for TLS 1.2 use PAM UI as shown below.

PAM UI >> Configuration >> Security >> Cryptography >> TLS 1.2 ciphers