CVE-2019-1563

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
Affected Products (NVD)
VendorProductVersion
opensslopenssl
1.0.2 ≤
𝑥
≤ 1.0.2s
opensslopenssl
1.1.0 ≤
𝑥
≤ 1.1.0k
opensslopenssl
1.1.1 ≤
𝑥
≤ 1.1.1c
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openssl
bookworm
3.0.14-1~deb12u1
fixed
bookworm (security)
3.0.14-1~deb12u2
fixed
bullseye
1.1.1w-0+deb11u1
fixed
bullseye (security)
1.1.1w-0+deb11u2
fixed
sid
3.3.2-2
fixed
trixie
3.3.2-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
bionic
needed
disco
ignored
eoan
ignored
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needed
nodejs
bionic
not-affected
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
not-affected
hirsute
not-affected
impish
not-affected
jammy
needed
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
not-affected
xenial
not-affected
openssl
bionic
Fixed 1.1.1-1ubuntu2.1~18.04.6
released
disco
ignored
eoan
Fixed 1.1.1c-1ubuntu4.1
released
focal
Fixed 1.1.1d-2ubuntu1
released
groovy
Fixed 1.1.1d-2ubuntu1
released
hirsute
Fixed 1.1.1d-2ubuntu1
released
impish
Fixed 1.1.1d-2ubuntu1
released
jammy
Fixed 1.1.1d-2ubuntu1
released
kinetic
Fixed 1.1.1d-2ubuntu1
released
lunar
Fixed 1.1.1d-2ubuntu1
released
mantic
Fixed 1.1.1d-2ubuntu1
released
noble
Fixed 1.1.1d-2ubuntu1
released
trusty
Fixed 1.0.1f-1ubuntu2.27+esm1
released
xenial
Fixed 1.0.2g-1ubuntu4.16
released
openssl1.0
bionic
Fixed 1.0.2n-1ubuntu5.4
released
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
openssl
RHEL 8
1:1.1.1c-15.el8
fixed
openssl-devel
RHEL 8
1:1.1.1c-15.el8
fixed
openssl-libs
RHEL 8
1:1.1.1c-15.el8
fixed
openssl-perl
RHEL 8
1:1.1.1c-15.el8
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
https://seclists.org/bugtraq/2019/Oct/0
https://seclists.org/bugtraq/2019/Oct/1
https://seclists.org/bugtraq/2019/Sep/25
https://security.gentoo.org/glsa/201911-04
https://security.netapp.com/advisory/ntap-20190919-0002/
https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4376-1/
https://usn.ubuntu.com/4376-2/
https://usn.ubuntu.com/4504-1/
https://www.debian.org/security/2019/dsa-4539
https://www.debian.org/security/2019/dsa-4540
https://www.openssl.org/news/secadv/20190910.txt
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.tenable.com/security/tns-2019-09
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
https://seclists.org/bugtraq/2019/Oct/0
https://seclists.org/bugtraq/2019/Oct/1
https://seclists.org/bugtraq/2019/Sep/25
https://security.gentoo.org/glsa/201911-04
https://security.netapp.com/advisory/ntap-20190919-0002/
https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/4376-1/
https://usn.ubuntu.com/4376-2/
https://usn.ubuntu.com/4504-1/
https://www.debian.org/security/2019/dsa-4539
https://www.debian.org/security/2019/dsa-4540
https://www.openssl.org/news/secadv/20190910.txt
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.tenable.com/security/tns-2019-09