CVE-2016-2178

Name: CVE-2016-2178
Creator: NVD / NIST
Published: 2016-06-20T01:59:03.023+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 1.17%

Last modified Jun 17, 2026

CVE-2016-2178 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.. EPSS estimates a 1.17% chance of exploitation in the next 30 days.

Description

The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

1.17%

63.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-203

Affected Software

Vendor	Product	Versions
Openssl	Openssl	1.0.1
Openssl	Openssl	1.0.1a
Openssl	Openssl	1.0.1b
Openssl	Openssl	1.0.1c
Openssl	Openssl	1.0.1d
Openssl	Openssl	1.0.1e
Openssl	Openssl	1.0.1f
Openssl	Openssl	1.0.1g
Openssl	Openssl	1.0.1h
Openssl	Openssl	1.0.1i
Openssl	Openssl	1.0.1j
Openssl	Openssl	1.0.1k
Openssl	Openssl	1.0.1l
Openssl	Openssl	1.0.1m
Openssl	Openssl	1.0.1n
Openssl	Openssl	1.0.1o
Openssl	Openssl	1.0.1p
Openssl	Openssl	1.0.1q
Openssl	Openssl	1.0.1r
Openssl	Openssl	1.0.1s
Openssl	Openssl	1.0.1t
Openssl	Openssl	1.0.2
Openssl	Openssl	1.0.2a
Openssl	Openssl	1.0.2b
Openssl	Openssl	1.0.2c
Openssl	Openssl	1.0.2d
Openssl	Openssl	1.0.2e
Openssl	Openssl	1.0.2f
Openssl	Openssl	1.0.2g
Openssl	Openssl	1.0.2h
Oracle	Linux	5
Oracle	Linux	6
Oracle	Linux	7
Oracle	Solaris	10
Oracle	Solaris	11.3
Suse	Linux Enterprise	12.0
Nodejs	Node.Js	>= 0.10.0, < 0.10.47
Nodejs	Node.Js	>= 0.12.0, < 0.12.16
Nodejs	Node.Js	>= 4.0.0, <= 4.1.2
Nodejs	Node.Js	>= 4.2.0, < 4.6.0
Nodejs	Node.Js	>= 5.0.0, < 6.7.0
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	12.04
Canonical	Ubuntu Linux	14.04
Canonical	Ubuntu Linux	16.04

References

http://eprint.iacr.org/2016/594.pdfTechnical Description, Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00032.htmlMailing List, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1940.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2957.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-1659.htmlThird Party Advisory
http://seclists.org/fulldisclosure/2017/Jul/31Mailing List, Third Party Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-opensslThird Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21995039Third Party Advisory
http://www.debian.org/security/2016/dsa-3673Third Party Advisory
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170322-01-openssl-enThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/10Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/11Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/12Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/2Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/4Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/5Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/6Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/7Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/8Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/09/2Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/09/8Mailing List, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.htmlThird Party Advisory
http://www.securityfocus.com/bid/91081Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1036054Third Party Advisory, VDB Entry
http://www.splunk.com/view/SP-CAAAPSVThird Party Advisory
http://www.splunk.com/view/SP-CAAAPUEThird Party Advisory
http://www.ubuntu.com/usn/USN-3087-1Third Party Advisory
http://www.ubuntu.com/usn/USN-3087-2Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0193Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0194Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1658Third Party Advisory
https://bto.bluecoat.com/security-advisory/sa132Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1343400Issue Tracking, Patch
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=399944622df7bd81af62e67ea967c470534090e2
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c05302448Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05302448Third Party Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40312Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10215Third Party Advisory
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.ascThird Party Advisory
https://security.gentoo.org/glsa/201612-16Third Party Advisory, VDB Entry
https://support.f5.com/csp/article/K53084033Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en&docId=emr_na-hpesbhf03856en_usThird Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03856en_usThird Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/1749-security-advisory-24Third Party Advisory
https://www.tenable.com/security/tns-2016-16Third Party Advisory
https://www.tenable.com/security/tns-2016-20Third Party Advisory
https://www.tenable.com/security/tns-2016-21Third Party Advisory
http://eprint.iacr.org/2016/594.pdfTechnical Description, Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00022.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00023.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00024.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-09/msg00031.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00005.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00011.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00012.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00021.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00029.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00010.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2017-10/msg00011.htmlMailing List, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2018-02/msg00032.htmlMailing List, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1940.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-2957.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-1659.htmlThird Party Advisory
http://seclists.org/fulldisclosure/2017/Jul/31Mailing List, Third Party Advisory
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-opensslThird Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21995039Third Party Advisory
http://www.debian.org/security/2016/dsa-3673Third Party Advisory
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170322-01-openssl-enThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/10Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/11Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/12Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/2Mailing List, Patch, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/4Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/5Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/6Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/7Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/08/8Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/09/2Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2016/06/09/8Mailing List, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlPatch, Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.htmlThird Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinoct2016-3090547.htmlThird Party Advisory
http://www.securityfocus.com/bid/91081Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1036054Third Party Advisory, VDB Entry
http://www.splunk.com/view/SP-CAAAPSVThird Party Advisory
http://www.splunk.com/view/SP-CAAAPUEThird Party Advisory
http://www.ubuntu.com/usn/USN-3087-1Third Party Advisory
http://www.ubuntu.com/usn/USN-3087-2Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0193Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0194Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1658Third Party Advisory
https://bto.bluecoat.com/security-advisory/sa132Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1343400Issue Tracking, Patch
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=399944622df7bd81af62e67ea967c470534090e2
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c05302448Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05302448Third Party Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40312Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10215Third Party Advisory
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:26.openssl.ascThird Party Advisory
https://security.gentoo.org/glsa/201612-16Third Party Advisory, VDB Entry
https://support.f5.com/csp/article/K53084033Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en&docId=emr_na-hpesbhf03856en_usThird Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03856en_usThird Party Advisory
https://www.arista.com/en/support/advisories-notices/security-advisories/1749-security-advisory-24Third Party Advisory
https://www.tenable.com/security/tns-2016-16Third Party Advisory
https://www.tenable.com/security/tns-2016-20Third Party Advisory
https://www.tenable.com/security/tns-2016-21Third Party Advisory

Timeline

Published: Jun 20, 2016
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-2178?

How severe is CVE-2016-2178?

CVE-2016-2178 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 1.17% probability of exploitation in the next 30 days.

How do I fix CVE-2016-2178?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-2178?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST