CVE-2019-1559

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
opensslCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 88%
VendorProductVersion
opensslopenssl
1.0.2 ≤
𝑥
< 1.0.2r
canonicalubuntu_linux
16.04
canonicalubuntu_linux
18.04
canonicalubuntu_linux
18.10
debiandebian_linux
8.0
debiandebian_linux
9.0
netappactive_iq_unified_manager
7.3 ≤
netappactive_iq_unified_manager
9.5 ≤
netappactive_iq_unified_manager
-
netappaltavault
-
netappcloud_backup
-
netappclustered_data_ontap_antivirus_connector
-
netappelement_software
-
netapphci_management_node
-
netapphyper_converged_infrastructure
-
netapponcommand_insight
-
netapponcommand_unified_manager
-
netapponcommand_unified_manager
-
netapponcommand_unified_manager_core_package
-
netapponcommand_workflow_automation
-
netappontap_select_deploy
-
netappontap_select_deploy_administration_utility
-
netappsantricity_smi-s_provider
-
netappservice_processor
-
netappsmi-s_provider
-
netappsnapcenter
-
netappsnapdrive
-
netappsnapdrive
-
netappsnapprotect
-
netappsolidfire
-
netappsteelstore_cloud_integrated_storage
-
netappstorage_automation_store
-
netappstoragegrid
9.0.0 ≤
𝑥
≤ 9.0.4
netappstoragegrid
-
netapphci_compute_node
-
f5big-ip_access_policy_manager
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_access_policy_manager
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_access_policy_manager
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_access_policy_manager
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_advanced_firewall_manager
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_advanced_firewall_manager
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_advanced_firewall_manager
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_advanced_firewall_manager
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_analytics
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_analytics
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_analytics
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_analytics
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_application_acceleration_manager
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_application_acceleration_manager
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_application_acceleration_manager
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_application_acceleration_manager
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_application_security_manager
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_application_security_manager
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_application_security_manager
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_application_security_manager
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_domain_name_system
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_domain_name_system
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_domain_name_system
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_domain_name_system
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_edge_gateway
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_edge_gateway
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_edge_gateway
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_edge_gateway
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_fraud_protection_service
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_fraud_protection_service
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_fraud_protection_service
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_fraud_protection_service
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_global_traffic_manager
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_global_traffic_manager
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_global_traffic_manager
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_global_traffic_manager
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_link_controller
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_link_controller
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_link_controller
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_link_controller
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_local_traffic_manager
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_local_traffic_manager
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_local_traffic_manager
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_local_traffic_manager
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_policy_enforcement_manager
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_policy_enforcement_manager
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_policy_enforcement_manager
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_policy_enforcement_manager
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-ip_webaccelerator
12.1.0 ≤
𝑥
≤ 12.1.5
f5big-ip_webaccelerator
13.0.0 ≤
𝑥
≤ 13.1.3
f5big-ip_webaccelerator
14.0.0 ≤
𝑥
≤ 14.1.2
f5big-ip_webaccelerator
15.0.0 ≤
𝑥
≤ 15.1.0
f5big-iq_centralized_management
6.0.0 ≤
𝑥
≤ 6.1.0
f5big-iq_centralized_management
7.0.0 ≤
𝑥
≤ 7.1.0
f5traffix_signaling_delivery_controller
5.0.0 ≤
𝑥
≤ 5.1.0
f5traffix_signaling_delivery_controller
4.4.0
tenablenessus
𝑥
≤ 8.2.3
opensuseleap
15.0
opensuseleap
15.1
opensuseleap
42.3
netappcn1610_firmware
-
netappa320_firmware
-
netappc190_firmware
-
netappa220_firmware
-
netappfas2720_firmware
-
netappfas2750_firmware
-
netappa800_firmware
-
mcafeeagent
5.6.0 ≤
𝑥
≤ 5.6.4
mcafeedata_exchange_layer
4.0.0 ≤
𝑥
< 6.0.0
mcafeethreat_intelligence_exchange_server
2.0.0 ≤
𝑥
< 3.0.0
mcafeeweb_gateway
7.0.0 ≤
𝑥
< 9.0.0
redhatjboss_enterprise_web_server
5.0.0
redhatvirtualization
4.0
redhatvirtualization_host
4.0
redhatenterprise_linux_desktop
6.0
redhatenterprise_linux_desktop
7.0
redhatenterprise_linux_server
6.0
redhatenterprise_linux_server
7.0
redhatenterprise_linux_workstation
6.0
redhatenterprise_linux_workstation
7.0
oracleapi_gateway
11.1.2.4.0
oraclebusiness_intelligence
11.1.1.9.0
oraclebusiness_intelligence
12.2.1.3.0
oraclebusiness_intelligence
12.2.1.4.0
oraclecommunications_diameter_signaling_router
8.0.0
oraclecommunications_diameter_signaling_router
8.1
oraclecommunications_diameter_signaling_router
8.2
oraclecommunications_diameter_signaling_router
8.3
oraclecommunications_diameter_signaling_router
8.4
oraclecommunications_performance_intelligence_center
10.4.0.2
oraclecommunications_session_border_controller
7.4
oraclecommunications_session_border_controller
8.0.0
oraclecommunications_session_border_controller
8.1.0
oraclecommunications_session_border_controller
8.2
oraclecommunications_session_border_controller
8.3
oraclecommunications_session_router
7.4
oraclecommunications_session_router
8.0
oraclecommunications_session_router
8.1
oraclecommunications_session_router
8.2
oraclecommunications_session_router
8.3
oraclecommunications_unified_session_manager
7.3.5
oraclecommunications_unified_session_manager
8.2.5
oracleendeca_server
7.7.0
oracleenterprise_manager_base_platform
12.1.0.5.0
oracleenterprise_manager_base_platform
13.2.0.0.0
oracleenterprise_manager_base_platform
13.3.0.0.0
oracleenterprise_manager_ops_center
12.3.3
oracleenterprise_manager_ops_center
12.4.0
oraclejd_edwards_enterpriseone_tools
9.2
oraclemysql
5.6.0 ≤
𝑥
≤ 5.6.43
oraclemysql
5.7.0 ≤
𝑥
≤ 5.7.25
oraclemysql
8.0.0 ≤
𝑥
≤ 8.0.15
oraclemysql_enterprise_monitor
𝑥
≤ 4.0.8
oraclemysql_enterprise_monitor
8.0.0 ≤
𝑥
≤ 8.0.14
oraclemysql_workbench
𝑥
≤ 8.0.16
oraclepeoplesoft_enterprise_peopletools
8.55
oraclepeoplesoft_enterprise_peopletools
8.56
oraclepeoplesoft_enterprise_peopletools
8.57
oraclesecure_global_desktop
5.4
oracleservices_tools_bundle
19.2
paloaltonetworkspan-os
7.1.0 ≤
𝑥
< 7.1.15
paloaltonetworkspan-os
8.0.0 ≤
𝑥
< 8.0.20
paloaltonetworkspan-os
8.1.0 ≤
𝑥
< 8.1.8
paloaltonetworkspan-os
9.0.0 ≤
𝑥
< 9.0.2
nodejsnode.js
6.0.0 ≤
𝑥
≤ 6.8.1
nodejsnode.js
6.9.0 ≤
𝑥
< 6.17.0
nodejsnode.js
8.0.0 ≤
𝑥
≤ 8.8.1
nodejsnode.js
8.9.0 ≤
𝑥
< 8.15.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
sid
3.3.2-2
fixed
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nodejs
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
openssl
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
xenial
Fixed 1.0.2g-1ubuntu4.15
released
trusty
Fixed 1.0.1f-1ubuntu2.27+esm1
released
openssl098
focal
dne
eoan
dne
disco
dne
cosmic
dne
bionic
dne
xenial
dne
trusty
dne
openssl1.0
focal
dne
eoan
dne
disco
dne
cosmic
Fixed 1.0.2n-1ubuntu6.2
released
bionic
Fixed 1.0.2n-1ubuntu5.3
released
xenial
dne
trusty
dne
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html
http://www.securityfocus.com/bid/107174
https://access.redhat.com/errata/RHSA-2019:2304
https://access.redhat.com/errata/RHSA-2019:2437
https://access.redhat.com/errata/RHSA-2019:2439
https://access.redhat.com/errata/RHSA-2019:2471
https://access.redhat.com/errata/RHSA-2019:3929
https://access.redhat.com/errata/RHSA-2019:3931
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
https://kc.mcafee.com/corporate/index?page=content&id=SB10282
https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
https://security.gentoo.org/glsa/201903-10
https://security.netapp.com/advisory/ntap-20190301-0001/
https://security.netapp.com/advisory/ntap-20190301-0002/
https://security.netapp.com/advisory/ntap-20190423-0002/
https://support.f5.com/csp/article/K18549143
https://support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3899-1/
https://usn.ubuntu.com/4376-2/
https://www.debian.org/security/2019/dsa-4400
https://www.openssl.org/news/secadv/20190226.txt
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.tenable.com/security/tns-2019-02
https://www.tenable.com/security/tns-2019-03
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html
http://www.securityfocus.com/bid/107174
https://access.redhat.com/errata/RHSA-2019:2304
https://access.redhat.com/errata/RHSA-2019:2437
https://access.redhat.com/errata/RHSA-2019:2439
https://access.redhat.com/errata/RHSA-2019:2471
https://access.redhat.com/errata/RHSA-2019:3929
https://access.redhat.com/errata/RHSA-2019:3931
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
https://kc.mcafee.com/corporate/index?page=content&id=SB10282
https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
https://security.gentoo.org/glsa/201903-10
https://security.netapp.com/advisory/ntap-20190301-0001/
https://security.netapp.com/advisory/ntap-20190301-0002/
https://security.netapp.com/advisory/ntap-20190423-0002/
https://support.f5.com/csp/article/K18549143
https://support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3899-1/
https://usn.ubuntu.com/4376-2/
https://www.debian.org/security/2019/dsa-4400
https://www.openssl.org/news/secadv/20190226.txt
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.tenable.com/security/tns-2019-02
https://www.tenable.com/security/tns-2019-03