CVE - CVE-2019-1559

CVE-ID
CVE-2019-1559	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:107174 URL:http://www.securityfocus.com/bid/107174 CONFIRM:https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e URL:https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10282 URL:https://kc.mcafee.com/corporate/index?page=content&id=SB10282 CONFIRM:https://security.netapp.com/advisory/ntap-20190301-0001/ URL:https://security.netapp.com/advisory/ntap-20190301-0001/ CONFIRM:https://security.netapp.com/advisory/ntap-20190301-0002/ URL:https://security.netapp.com/advisory/ntap-20190301-0002/ CONFIRM:https://security.netapp.com/advisory/ntap-20190423-0002/ URL:https://security.netapp.com/advisory/ntap-20190423-0002/ CONFIRM:https://support.f5.com/csp/article/K18549143 URL:https://support.f5.com/csp/article/K18549143 CONFIRM:https://support.f5.com/csp/article/K18549143?utm_source=f5support&utm_medium=RSS URL:https://support.f5.com/csp/article/K18549143?utm_source=f5support&utm_medium=RSS CONFIRM:https://www.openssl.org/news/secadv/20190226.txt URL:https://www.openssl.org/news/secadv/20190226.txt CONFIRM:https://www.tenable.com/security/tns-2019-02 URL:https://www.tenable.com/security/tns-2019-02 CONFIRM:https://www.tenable.com/security/tns-2019-03 URL:https://www.tenable.com/security/tns-2019-03 DEBIAN:DSA-4400 URL:https://www.debian.org/security/2019/dsa-4400 FEDORA:FEDORA-2019-00c25b9379 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/ FEDORA:FEDORA-2019-9a0a7c0986 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/ FEDORA:FEDORA-2019-db06efdea1 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/ GENTOO:GLSA-201903-10 URL:https://security.gentoo.org/glsa/201903-10 MISC:https://www.oracle.com/security-alerts/cpujan2020.html URL:https://www.oracle.com/security-alerts/cpujan2020.html MISC:https://www.oracle.com/security-alerts/cpujan2021.html URL:https://www.oracle.com/security-alerts/cpujan2021.html MISC:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html URL:https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html MISC:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html URL:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html MISC:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html URL:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST:[debian-lts-announce] 20190301 [SECURITY] [DLA 1701-1] openssl security update URL:https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html REDHAT:RHSA-2019:2304 URL:https://access.redhat.com/errata/RHSA-2019:2304 REDHAT:RHSA-2019:2437 URL:https://access.redhat.com/errata/RHSA-2019:2437 REDHAT:RHSA-2019:2439 URL:https://access.redhat.com/errata/RHSA-2019:2439 REDHAT:RHSA-2019:2471 URL:https://access.redhat.com/errata/RHSA-2019:2471 REDHAT:RHSA-2019:3929 URL:https://access.redhat.com/errata/RHSA-2019:3929 REDHAT:RHSA-2019:3931 URL:https://access.redhat.com/errata/RHSA-2019:3931 SUSE:openSUSE-SU-2019:1076 URL:http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html SUSE:openSUSE-SU-2019:1105 URL:http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html SUSE:openSUSE-SU-2019:1173 URL:http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html SUSE:openSUSE-SU-2019:1175 URL:http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html SUSE:openSUSE-SU-2019:1432 URL:http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html SUSE:openSUSE-SU-2019:1637 URL:http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html UBUNTU:USN-3899-1 URL:https://usn.ubuntu.com/3899-1/ UBUNTU:USN-4376-2 URL:https://usn.ubuntu.com/4376-2/
Assigning CNA
OpenSSL Software Foundation
Date Record Created
20181128	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20181128)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)