5.9

CVE-2019-1559

0-byte record padding oracle

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenSSLOpenSSL Version >= 1.0.2 < 1.0.2r
CanonicalUbuntu Linux Version16.04 SwEditionesm
CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalUbuntu Linux Version18.10
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
NetappActive Iq Unified Manager SwPlatformwindows Version >= 7.3
NetappActive Iq Unified Manager SwPlatformvmware_vsphere Version >= 9.5
NetappActive Iq Unified Manager Version- SwPlatformwindows
NetappAltavault Version-
NetappCloud Backup Version-
NetappElement Software Version-
NetappOncommand Insight Version-
NetappOncommand Unified Manager Version- SwPlatformvsphere
NetappService Processor Version-
NetappSmi-s Provider Version-
NetappSnapcenter Version-
NetappSnapdrive Version- SwPlatformunix
NetappSnapdrive Version- SwPlatformwindows
NetappSnapprotect Version-
NetappSolidfire Version-
NetappStoragegrid Version >= 9.0.0 <= 9.0.4
NetappStoragegrid Version-
NetappHci Compute Node Version-
F5Big-ip Access Policy Manager Version >= 12.1.0 <= 12.1.5
F5Big-ip Access Policy Manager Version >= 13.0.0 <= 13.1.3
F5Big-ip Access Policy Manager Version >= 14.0.0 <= 14.1.2
F5Big-ip Access Policy Manager Version >= 15.0.0 <= 15.1.0
F5Big-ip Advanced Firewall Manager Version >= 12.1.0 <= 12.1.5
F5Big-ip Advanced Firewall Manager Version >= 13.0.0 <= 13.1.3
F5Big-ip Advanced Firewall Manager Version >= 14.0.0 <= 14.1.2
F5Big-ip Advanced Firewall Manager Version >= 15.0.0 <= 15.1.0
F5Big-ip Analytics Version >= 12.1.0 <= 12.1.5
F5Big-ip Analytics Version >= 13.0.0 <= 13.1.3
F5Big-ip Analytics Version >= 14.0.0 <= 14.1.2
F5Big-ip Analytics Version >= 15.0.0 <= 15.1.0
F5Big-ip Application Acceleration Manager Version >= 12.1.0 <= 12.1.5
F5Big-ip Application Acceleration Manager Version >= 13.0.0 <= 13.1.3
F5Big-ip Application Acceleration Manager Version >= 14.0.0 <= 14.1.2
F5Big-ip Application Acceleration Manager Version >= 15.0.0 <= 15.1.0
F5Big-ip Application Security Manager Version >= 12.1.0 <= 12.1.5
F5Big-ip Application Security Manager Version >= 13.0.0 <= 13.1.3
F5Big-ip Application Security Manager Version >= 14.0.0 <= 14.1.2
F5Big-ip Application Security Manager Version >= 15.0.0 <= 15.1.0
F5Big-ip Domain Name System Version >= 12.1.0 <= 12.1.5
F5Big-ip Domain Name System Version >= 13.0.0 <= 13.1.3
F5Big-ip Domain Name System Version >= 14.0.0 <= 14.1.2
F5Big-ip Domain Name System Version >= 15.0.0 <= 15.1.0
F5Big-ip Edge Gateway Version >= 12.1.0 <= 12.1.5
F5Big-ip Edge Gateway Version >= 13.0.0 <= 13.1.3
F5Big-ip Edge Gateway Version >= 14.0.0 <= 14.1.2
F5Big-ip Edge Gateway Version >= 15.0.0 <= 15.1.0
F5Big-ip Fraud Protection Service Version >= 12.1.0 <= 12.1.5
F5Big-ip Fraud Protection Service Version >= 13.0.0 <= 13.1.3
F5Big-ip Fraud Protection Service Version >= 14.0.0 <= 14.1.2
F5Big-ip Fraud Protection Service Version >= 15.0.0 <= 15.1.0
F5Big-ip Global Traffic Manager Version >= 12.1.0 <= 12.1.5
F5Big-ip Global Traffic Manager Version >= 13.0.0 <= 13.1.3
F5Big-ip Global Traffic Manager Version >= 14.0.0 <= 14.1.2
F5Big-ip Global Traffic Manager Version >= 15.0.0 <= 15.1.0
F5Big-ip Link Controller Version >= 12.1.0 <= 12.1.5
F5Big-ip Link Controller Version >= 13.0.0 <= 13.1.3
F5Big-ip Link Controller Version >= 14.0.0 <= 14.1.2
F5Big-ip Link Controller Version >= 15.0.0 <= 15.1.0
F5Big-ip Local Traffic Manager Version >= 12.1.0 <= 12.1.5
F5Big-ip Local Traffic Manager Version >= 13.0.0 <= 13.1.3
F5Big-ip Local Traffic Manager Version >= 14.0.0 <= 14.1.2
F5Big-ip Local Traffic Manager Version >= 15.0.0 <= 15.1.0
F5Big-ip Policy Enforcement Manager Version >= 12.1.0 <= 12.1.5
F5Big-ip Policy Enforcement Manager Version >= 13.0.0 <= 13.1.3
F5Big-ip Policy Enforcement Manager Version >= 14.0.0 <= 14.1.2
F5Big-ip Policy Enforcement Manager Version >= 15.0.0 <= 15.1.0
F5Big-ip Webaccelerator Version >= 12.1.0 <= 12.1.5
F5Big-ip Webaccelerator Version >= 13.0.0 <= 13.1.3
F5Big-ip Webaccelerator Version >= 14.0.0 <= 14.1.2
F5Big-ip Webaccelerator Version >= 15.0.0 <= 15.1.0
F5Big-iq Centralized Management Version >= 6.0.0 <= 6.1.0
F5Big-iq Centralized Management Version >= 7.0.0 <= 7.1.0
F5Traffix Signaling Delivery Controller Version >= 5.0.0 <= 5.1.0
TenableNessus Version <= 8.2.3
OpensuseLeap Version15.0
OpensuseLeap Version15.1
OpensuseLeap Version42.3
NetappCn1610 Firmware Version-
   NetappCn1610 Version-
NetappA320 Firmware Version-
   NetappA320 Version-
NetappC190 Firmware Version-
   NetappC190 Version-
NetappA220 Firmware Version-
   NetappA220 Version-
NetappFas2720 Firmware Version-
   NetappFas2720 Version-
NetappFas2750 Firmware Version-
   NetappFas2750 Version-
NetappA800 Firmware Version-
   NetappA800 Version-
FedoraprojectFedora Version29
FedoraprojectFedora Version30
FedoraprojectFedora Version31
McafeeAgent Version >= 5.6.0 <= 5.6.4
McafeeData Exchange Layer Version >= 4.0.0 < 6.0.0
McafeeThreat Intelligence Exchange Server Version >= 2.0.0 < 3.0.0
McafeeWeb Gateway Version >= 7.0.0 < 9.0.0
RedhatJboss Enterprise Web Server Version5.0.0
   RedhatEnterprise Linux Version6.0
   RedhatEnterprise Linux Version7.0
   RedhatEnterprise Linux Version8.0
RedhatVirtualization Version4.0
   RedhatEnterprise Linux Version7.0
RedhatVirtualization Host Version4.0
   RedhatEnterprise Linux Version7.0
OracleApi Gateway Version11.1.2.4.0
OracleBusiness Intelligence Version11.1.1.9.0 SwEditionenterprise
OracleBusiness Intelligence Version12.2.1.3.0 SwEditionenterprise
OracleBusiness Intelligence Version12.2.1.4.0 SwEditionenterprise
OracleEndeca Server Version7.7.0
OracleJd Edwards World Security Versiona9.3.1
OracleMysql Version >= 5.6.0 <= 5.6.43
OracleMysql Version >= 5.7.0 <= 5.7.25
OracleMysql Version >= 8.0.0 <= 8.0.15
OracleMysql Enterprise Monitor Version <= 4.0.8
OracleMysql Enterprise Monitor Version >= 8.0.0 <= 8.0.14
OracleMysql Workbench Version <= 8.0.16
OracleSecure Global Desktop Version5.4
OracleServices Tools Bundle Version19.2
PaloaltonetworksPan-os Version >= 7.1.0 < 7.1.15
PaloaltonetworksPan-os Version >= 8.0.0 < 8.0.20
PaloaltonetworksPan-os Version >= 8.1.0 < 8.1.8
PaloaltonetworksPan-os Version >= 9.0.0 < 9.0.2
NodejsNode.Js SwEdition- Version >= 6.0.0 <= 6.8.1
NodejsNode.Js SwEditionlts Version >= 6.9.0 < 6.17.0
NodejsNode.Js SwEdition- Version >= 8.0.0 <= 8.8.1
NodejsNode.Js SwEditionlts Version >= 8.9.0 < 8.15.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 17.14% 0.967
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

https://www.oracle.com/security-alerts/cpujan2020.html
Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Patch
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Patch
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Patch
Third Party Advisory
https://www.tenable.com/security/tns-2019-02
Patch
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
https://access.redhat.com/errata/RHSA-2019:2304
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190423-0002/
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3929
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3931
Third Party Advisory
https://security.gentoo.org/glsa/201903-10
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2437
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2439
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html
Third Party Advisory
Mailing List
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/107174
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2019:2471
Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
https://kc.mcafee.com/corporate/index?page=content&id=SB10282
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html
Third Party Advisory
Mailing List
https://security.netapp.com/advisory/ntap-20190301-0001/
Patch
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190301-0002/
Third Party Advisory
Broken Link
https://support.f5.com/csp/article/K18549143
Third Party Advisory
https://support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS
https://usn.ubuntu.com/3899-1/
Third Party Advisory
https://usn.ubuntu.com/4376-2/
Broken Link
https://www.debian.org/security/2019/dsa-4400
Third Party Advisory
https://www.openssl.org/news/secadv/20190226.txt
Vendor Advisory
https://www.tenable.com/security/tns-2019-03
Third Party Advisory