CVE-2019-1563

EPSS 1.42%
Veröffentlicht 10.09.2019 17:15:11
Zuletzt bearbeitet 21.11.2024 04:36:49
Quelle openssl-security@openssl.org
Teams Watchlist Login
Unerledigt Login

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 33

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenSSL ≫ OpenSSL Version >= 1.0.2 <= 1.0.2s

OpenSSL ≫ OpenSSL Version >= 1.1.0 <= 1.1.0k

OpenSSL ≫ OpenSSL Version >= 1.1.1 <= 1.1.1c

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.42%	0.799

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.7	2.2	1.4	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CWE-327 Use of a Broken or Risky Cryptographic Algorithm

The product uses a broken or risky cryptographic algorithm or protocol.

https://www.oracle.com/security-alerts/cpujan2020.html

https://kc.mcafee.com/corporate/index?page=content&id=SB10365

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.tenable.com/security/tns-2019-09

https://usn.ubuntu.com/4376-2/

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html