CVE-2016-6225

Published: Mar 23, 2017Modified: May 13, 2026

5.9

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.2 / Impact: 3.6

Source: NVD

Description

xbcrypt in Percona XtraBackup before 2.3.6 and 2.4.x before 2.4.5 does not properly set the initialization vector (IV) for encryption, which makes it easier for context-dependent attackers to obtain sensitive information from encrypted backup files via a Chosen-Plaintext attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6394.

Affected (10)

Products: Percona: Xtrabackup · Opensuse: Leap · Fedoraproject: Fedora

1 product

1 product

1 product

Configuration A

6 vulnerable

Vulnerable Software	Affected Versions
Percona Xtrabackup	Up to 2.3.5
Percona Xtrabackup	Version 2.4.0 rc1
Percona Xtrabackup	Version 2.4.1
Percona Xtrabackup	Version 2.4.2
Percona Xtrabackup	Version 2.4.3
Percona Xtrabackup	Version 2.4.4

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 42.1
Opensuse Leap	Version 42.2

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 24
Fedoraproject Fedora	Version 25

Related CWEs

Inadequate Encryption Strength

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

References (16)

http://lists.opensuse.org/opensuse-updates/2017-01/msg00125.html

Source: cve@mitre.org

Third Party Advisory

http://lists.opensuse.org/opensuse-updates/2017-01/msg00126.html

Source: cve@mitre.org

Third Party Advisory

https://bugs.launchpad.net/percona-xtrabackup/+bug/1643949

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/percona/percona-xtrabackup/pull/266

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://github.com/percona/percona-xtrabackup/pull/267

Source: cve@mitre.org

Issue TrackingPatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAHI6ETS22FJCMLW7A6SICFKQXF5G2VI/

Source: cve@mitre.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBVCP6KLFVGG6HSGLHLTMZRD6C4IJSZP/

Source: cve@mitre.org

https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/

Source: cve@mitre.org

Vendor Advisory

http://lists.opensuse.org/opensuse-updates/2017-01/msg00125.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

http://lists.opensuse.org/opensuse-updates/2017-01/msg00126.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://bugs.launchpad.net/percona-xtrabackup/+bug/1643949

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/percona/percona-xtrabackup/pull/266

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://github.com/percona/percona-xtrabackup/pull/267

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatchThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAHI6ETS22FJCMLW7A6SICFKQXF5G2VI/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBVCP6KLFVGG6HSGLHLTMZRD6C4IJSZP/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.percona.com/blog/2017/01/12/cve-2016-6225-percona-xtrabackup-encryption-iv-not-set-properly/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.