CVE-2019-1563 - In situations where an attacker receives automated notification of the success or failure of a decry

CVE-2019-1563

Summary

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

References

Vulnerable Configurations

cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2n:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2n:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2o:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2o:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2p:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2p:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2q:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2q:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2r:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2r:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2s:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2s:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:-:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.0k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre6:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre7:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre7:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre8:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre8:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre9:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1:pre9:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.1.1c:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 31-07-2021 - 08:15)
Impact:
Exploitability:

CWE

CWE-203

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:N/A:N

redhat via4

advisories

bugzilla

id	1793984
title	[RHEL 8][s390x] Restore modified SIGILL signal handler during libcrypto library initialisation

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 8 is installed
oval oval:com.redhat.rhba:tst:20193384074

AND
comment openssl is earlier than 1:1.1.1c-15.el8
oval oval:com.redhat.rhsa:tst:20201840001
comment openssl is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20171929002

AND

comment openssl-debugsource is earlier than 1:1.1.1c-15.el8
oval oval:com.redhat.rhsa:tst:20201840003
comment openssl-debugsource is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20193700004

AND

comment openssl-devel is earlier than 1:1.1.1c-15.el8
oval oval:com.redhat.rhsa:tst:20201840005
comment openssl-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20171929004

AND
comment openssl-libs is earlier than 1:1.1.1c-15.el8
oval oval:com.redhat.rhsa:tst:20201840007
comment openssl-libs is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20171929006
AND
comment openssl-perl is earlier than 1:1.1.1c-15.el8
oval oval:com.redhat.rhsa:tst:20201840009
comment openssl-perl is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20171929008

rhsa

id	RHSA-2020:1840
released	2020-04-28
severity	Moderate
title	RHSA-2020:1840: openssl security and bug fix update (Moderate)

rpms

jbcs-httpd24-apr-0:1.6.3-86.jbcs.el6
jbcs-httpd24-apr-0:1.6.3-86.jbcs.el7
jbcs-httpd24-apr-debuginfo-0:1.6.3-86.jbcs.el6
jbcs-httpd24-apr-debuginfo-0:1.6.3-86.jbcs.el7
jbcs-httpd24-apr-devel-0:1.6.3-86.jbcs.el6
jbcs-httpd24-apr-devel-0:1.6.3-86.jbcs.el7
jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el6
jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el7
jbcs-httpd24-brotli-debuginfo-0:1.0.6-21.jbcs.el6
jbcs-httpd24-brotli-debuginfo-0:1.0.6-21.jbcs.el7
jbcs-httpd24-brotli-devel-0:1.0.6-21.jbcs.el6
jbcs-httpd24-brotli-devel-0:1.0.6-21.jbcs.el7
jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-debuginfo-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-debuginfo-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-devel-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-devel-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-manual-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-manual-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-selinux-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-selinux-0:2.4.37-52.jbcs.el7
jbcs-httpd24-httpd-tools-0:2.4.37-52.jbcs.el6
jbcs-httpd24-httpd-tools-0:2.4.37-52.jbcs.el7
jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el6
jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el7
jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-41.Final_redhat_2.jbcs.el6
jbcs-httpd24-mod_cluster-native-debuginfo-0:1.3.12-41.Final_redhat_2.jbcs.el7
jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el6
jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el7
jbcs-httpd24-mod_http2-debuginfo-0:1.11.3-22.jbcs.el6
jbcs-httpd24-mod_http2-debuginfo-0:1.11.3-22.jbcs.el7
jbcs-httpd24-mod_ldap-0:2.4.37-52.jbcs.el6
jbcs-httpd24-mod_ldap-0:2.4.37-52.jbcs.el7
jbcs-httpd24-mod_proxy_html-1:2.4.37-52.jbcs.el6
jbcs-httpd24-mod_proxy_html-1:2.4.37-52.jbcs.el7
jbcs-httpd24-mod_session-0:2.4.37-52.jbcs.el6
jbcs-httpd24-mod_session-0:2.4.37-52.jbcs.el7
jbcs-httpd24-mod_ssl-1:2.4.37-52.jbcs.el6
jbcs-httpd24-mod_ssl-1:2.4.37-52.jbcs.el7
jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-debuginfo-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-debuginfo-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-devel-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-devel-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-libs-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-libs-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-perl-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-perl-1:1.1.1c-16.jbcs.el7
jbcs-httpd24-openssl-static-1:1.1.1c-16.jbcs.el6
jbcs-httpd24-openssl-static-1:1.1.1c-16.jbcs.el7
openssl-1:1.1.1c-15.el8
openssl-debuginfo-1:1.1.1c-15.el8
openssl-debugsource-1:1.1.1c-15.el8
openssl-devel-1:1.1.1c-15.el8
openssl-libs-1:1.1.1c-15.el8
openssl-libs-debuginfo-1:1.1.1c-15.el8
openssl-perl-1:1.1.1c-15.el8

refmap via4

bugtraq	20190912 [slackware-security] openssl (SSA:2019-254-03) 20191001 [SECURITY] [DSA 4539-1] openssl security update 20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update
confirm	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97 https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f https://security.netapp.com/advisory/ntap-20190919-0002/ https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_medium=RSS https://www.openssl.org/news/secadv/20190910.txt https://www.tenable.com/security/tns-2019-09
debian	DSA-4539 DSA-4540
fedora	FEDORA-2019-d15aac6c4e FEDORA-2019-d51641f152
gentoo	GLSA-201911-04
misc	http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
mlist	[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update
suse	openSUSE-SU-2019:2158 openSUSE-SU-2019:2189 openSUSE-SU-2019:2268 openSUSE-SU-2019:2269
ubuntu	USN-4376-1 USN-4376-2 USN-4504-1

Last major update

31-07-2021 - 08:15

Published

10-09-2019 - 17:15

Last modified

31-07-2021 - 08:15