CVE-2019-1559

EPSS 5.05%
Veröffentlicht 27.02.2019 23:29:00
Zuletzt bearbeitet 21.11.2024 04:36:48
Quelle openssl-security@openssl.org
Teams Watchlist Login
Unerledigt Login

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 39

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenSSL ≫ OpenSSL Version >= 1.0.2 < 1.0.2r

Canonical ≫ Ubuntu Linux Version16.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.10

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Netapp ≫ Active Iq Unified Manager SwPlatformwindows Version >= 7.3

Netapp ≫ Active Iq Unified Manager SwPlatformvmware_vsphere Version >= 9.5

Netapp ≫ Active Iq Unified Manager Version- SwPlatformwindows

Netapp ≫ Altavault Version-

Netapp ≫ Cloud Backup Version-

Netapp ≫ Clustered Data Ontap Antivirus Connector Version-

Netapp ≫ Element Software Version-

Netapp ≫ Hci Management Node Version-

Netapp ≫ Hyper Converged Infrastructure Version-

Netapp ≫ Oncommand Insight Version-

Netapp ≫ Oncommand Unified Manager Version-

Netapp ≫ Oncommand Unified Manager Version- SwPlatformvsphere

Netapp ≫ Oncommand Unified Manager Core Package Version-

Netapp ≫ Oncommand Workflow Automation Version-

Netapp ≫ Ontap Select Deploy Version-

Netapp ≫ Ontap Select Deploy Administration Utility Version-

Netapp ≫ Santricity Smi-s Provider Version-

Netapp ≫ Service Processor Version-

Netapp ≫ Smi-s Provider Version-

Netapp ≫ Snapcenter Version-

Netapp ≫ Snapdrive Version- SwPlatformunix

Netapp ≫ Snapdrive Version- SwPlatformwindows

Netapp ≫ Snapprotect Version-

Netapp ≫ Solidfire Version-

Netapp ≫ Steelstore Cloud Integrated Storage Version-

Netapp ≫ Storage Automation Store Version-

Netapp ≫ Storagegrid Version >= 9.0.0 <= 9.0.4

Netapp ≫ Storagegrid Version-

Netapp ≫ Hci Compute Node Version-

F5 ≫ Big-ip Access Policy Manager Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Access Policy Manager Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Access Policy Manager Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Access Policy Manager Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Advanced Firewall Manager Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Advanced Firewall Manager Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Advanced Firewall Manager Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Advanced Firewall Manager Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Analytics Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Analytics Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Analytics Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Analytics Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Application Acceleration Manager Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Application Acceleration Manager Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Application Acceleration Manager Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Application Acceleration Manager Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Application Security Manager Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Application Security Manager Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Application Security Manager Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Application Security Manager Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Domain Name System Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Domain Name System Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Domain Name System Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Domain Name System Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Edge Gateway Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Edge Gateway Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Edge Gateway Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Edge Gateway Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Fraud Protection Service Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Fraud Protection Service Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Fraud Protection Service Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Fraud Protection Service Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Global Traffic Manager Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Global Traffic Manager Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Global Traffic Manager Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Global Traffic Manager Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Link Controller Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Link Controller Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Link Controller Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Link Controller Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Local Traffic Manager Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Local Traffic Manager Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Local Traffic Manager Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Local Traffic Manager Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Policy Enforcement Manager Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Policy Enforcement Manager Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Policy Enforcement Manager Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Policy Enforcement Manager Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-ip Webaccelerator Version >= 12.1.0 <= 12.1.5

F5 ≫ Big-ip Webaccelerator Version >= 13.0.0 <= 13.1.3

F5 ≫ Big-ip Webaccelerator Version >= 14.0.0 <= 14.1.2

F5 ≫ Big-ip Webaccelerator Version >= 15.0.0 <= 15.1.0

F5 ≫ Big-iq Centralized Management Version >= 6.0.0 <= 6.1.0

F5 ≫ Big-iq Centralized Management Version >= 7.0.0 <= 7.1.0

F5 ≫ Traffix Signaling Delivery Controller Version >= 5.0.0 <= 5.1.0

F5 ≫ Traffix Signaling Delivery Controller Version4.4.0

Tenable ≫ Nessus Version <= 8.2.3

Opensuse ≫ Leap Version15.0

Opensuse ≫ Leap Version15.1

Opensuse ≫ Leap Version42.3

Netapp ≫ Cn1610 Firmware Version-

Netapp ≫ Cn1610 Version-

Netapp ≫ A320 Firmware Version-

Netapp ≫ A320 Version-

Netapp ≫ C190 Firmware Version-

Netapp ≫ C190 Version-

Netapp ≫ A220 Firmware Version-

Netapp ≫ A220 Version-

Netapp ≫ Fas2720 Firmware Version-

Netapp ≫ Fas2720 Version-

Netapp ≫ Fas2750 Firmware Version-

Netapp ≫ Fas2750 Version-

Netapp ≫ A800 Firmware Version-

Netapp ≫ A800 Version-

Fedoraproject ≫ Fedora Version29

Fedoraproject ≫ Fedora Version30

Fedoraproject ≫ Fedora Version31

Mcafee ≫ Agent Version >= 5.6.0 <= 5.6.4

Mcafee ≫ Data Exchange Layer Version >= 4.0.0 < 6.0.0

Mcafee ≫ Threat Intelligence Exchange Server Version >= 2.0.0 < 3.0.0

Mcafee ≫ Web Gateway Version >= 7.0.0 < 9.0.0

Redhat ≫ Jboss Enterprise Web Server Version5.0.0

   Redhat ≫ Enterprise Linux Version6.0
   Redhat ≫ Enterprise Linux Version7.0
   Redhat ≫ Enterprise Linux Version8.0

Redhat ≫ Virtualization Version4.0

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Virtualization Host Version4.0

Redhat ≫ Enterprise Linux Version7.0

Redhat ≫ Enterprise Linux Desktop Version6.0

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Server Version6.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Workstation Version6.0

Redhat ≫ Enterprise Linux Workstation Version7.0

Oracle ≫ Api Gateway Version11.1.2.4.0

Oracle ≫ Business Intelligence Version11.1.1.9.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.3.0 SwEditionenterprise

Oracle ≫ Business Intelligence Version12.2.1.4.0 SwEditionenterprise

Oracle ≫ Communications Diameter Signaling Router Version8.0.0

Oracle ≫ Communications Diameter Signaling Router Version8.1

Oracle ≫ Communications Diameter Signaling Router Version8.2

Oracle ≫ Communications Diameter Signaling Router Version8.3

Oracle ≫ Communications Diameter Signaling Router Version8.4

Oracle ≫ Communications Performance Intelligence Center Version10.4.0.2

Oracle ≫ Communications Session Border Controller Version7.4

Oracle ≫ Communications Session Border Controller Version8.0.0

Oracle ≫ Communications Session Border Controller Version8.1.0

Oracle ≫ Communications Session Border Controller Version8.2

Oracle ≫ Communications Session Border Controller Version8.3

Oracle ≫ Communications Session Router Version7.4

Oracle ≫ Communications Session Router Version8.0

Oracle ≫ Communications Session Router Version8.1

Oracle ≫ Communications Session Router Version8.2

Oracle ≫ Communications Session Router Version8.3

Oracle ≫ Communications Unified Session Manager Version7.3.5

Oracle ≫ Communications Unified Session Manager Version8.2.5

Oracle ≫ Endeca Server Version7.7.0

Oracle ≫ Enterprise Manager Base Platform Version12.1.0.5.0

Oracle ≫ Enterprise Manager Base Platform Version13.2.0.0.0

Oracle ≫ Enterprise Manager Base Platform Version13.3.0.0.0

Oracle ≫ Enterprise Manager Ops Center Version12.3.3

Oracle ≫ Enterprise Manager Ops Center Version12.4.0

Oracle ≫ Jd Edwards Enterpriseone Tools Version9.2

Oracle ≫ Jd Edwards World Security Versiona9.3

Oracle ≫ Jd Edwards World Security Versiona9.3.1

Oracle ≫ Jd Edwards World Security Versiona9.4

Oracle ≫ Mysql Version >= 5.6.0 <= 5.6.43

Oracle ≫ Mysql Version >= 5.7.0 <= 5.7.25

Oracle ≫ Mysql Version >= 8.0.0 <= 8.0.15

Oracle ≫ Mysql Enterprise Monitor Version <= 4.0.8

Oracle ≫ Mysql Enterprise Monitor Version >= 8.0.0 <= 8.0.14

Oracle ≫ Mysql Workbench Version <= 8.0.16

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.55

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.56

Oracle ≫ Peoplesoft Enterprise Peopletools Version8.57

Oracle ≫ Secure Global Desktop Version5.4

Oracle ≫ Services Tools Bundle Version19.2

Paloaltonetworks ≫ Pan-os Version >= 7.1.0 < 7.1.15

Paloaltonetworks ≫ Pan-os Version >= 8.0.0 < 8.0.20

Paloaltonetworks ≫ Pan-os Version >= 8.1.0 < 8.1.8

Paloaltonetworks ≫ Pan-os Version >= 9.0.0 < 9.0.2

Nodejs ≫ Node.Js SwEdition- Version >= 6.0.0 <= 6.8.1

Nodejs ≫ Node.Js SwEditionlts Version >= 6.9.0 < 6.17.0

Nodejs ≫ Node.Js SwEdition- Version >= 8.0.0 <= 8.8.1

Nodejs ≫ Node.Js SwEditionlts Version >= 8.9.0 < 8.15.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	5.05%	0.893

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://www.oracle.com/security-alerts/cpujan2020.html

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Patch

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Patch