CVE-2019-1563

low
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

References

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64

https://www.openssl.org/news/secadv/20190910.txt

https://seclists.org/bugtraq/2019/Sep/25

http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html

https://security.netapp.com/advisory/ntap-20190919-0002/

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html

https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/

https://seclists.org/bugtraq/2019/Oct/1

https://seclists.org/bugtraq/2019/Oct/0

https://www.debian.org/security/2019/dsa-4539

https://www.debian.org/security/2019/dsa-4540

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html

http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html

https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_medium=RSS

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://security.gentoo.org/glsa/201911-04

https://www.tenable.com/security/tns-2019-09

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://usn.ubuntu.com/4376-1/

https://www.oracle.com/security-alerts/cpujul2020.html

https://usn.ubuntu.com/4376-2/

https://usn.ubuntu.com/4504-1/

https://www.oracle.com/security-alerts/cpuoct2020.html

https://kc.mcafee.com/corporate/index?page=content&id=SB10365

Details

Source: MITRE

Published: 2019-09-10

Updated: 2021-07-31

Type: CWE-327

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 3.7

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Impact Score: 1.4

Exploitability Score: 2.2

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.0.2 to 1.0.2s (inclusive)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.1.0 to 1.1.0k (inclusive)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.1.1 to 1.1.1c (inclusive)

Tenable Plugins

View all (54 total)

IDNameProductFamilySeverity
153738EulerOS 2.0 SP9 : shim (EulerOS-SA-2021-2542)NessusHuawei Local Security Checks
medium
153705EulerOS 2.0 SP9 : shim (EulerOS-SA-2021-2566)NessusHuawei Local Security Checks
medium
150664SUSE SLES11 Security Update : openssl (SUSE-SU-2019:14174-1)NessusSuSE Local Security Checks
low
150638SUSE SLES11 Security Update : openssl (SUSE-SU-2019:14249-1)NessusSuSE Local Security Checks
low
150594SUSE SLES11 Security Update : openssl1 (SUSE-SU-2019:14171-1)NessusSuSE Local Security Checks
low
145975CentOS 8 : openssl (CESA-2020:1840)NessusCentOS Local Security Checks
medium
143872SUSE SLES12 Security Update : compat-openssl098 (SUSE-SU-2020:2634-1)NessusSuSE Local Security Checks
low
143010RHEL 8 : openssl (RHSA-2020:1840)NessusRed Hat Local Security Checks
medium
140645Ubuntu 16.04 LTS / 18.04 LTS : OpenSSL vulnerabilities (USN-4504-1)NessusUbuntu Local Security Checks
medium
138622Amazon Linux 2 : openssl11 (ALAS-2020-1456)NessusAmazon Linux Local Security Checks
medium
136967Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : OpenSSL vulnerabilities (USN-4376-1)NessusUbuntu Local Security Checks
medium
135235RHEL 6 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP2 (RHSA-2020:1337)NessusRed Hat Local Security Checks
critical
134897Amazon Linux 2 : openssl (ALAS-2020-1406)NessusAmazon Linux Local Security Checks
low
134740EulerOS Virtualization 3.0.2.2 : openssl (EulerOS-SA-2020-1274)NessusHuawei Local Security Checks
low
134510EulerOS Virtualization for ARM 64 3.0.2.0 : openssl (EulerOS-SA-2020-1221)NessusHuawei Local Security Checks
low
133870Amazon Linux AMI : openssl (ALAS-2020-1344)NessusAmazon Linux Local Security Checks
low
133042Oracle Secure Global Desktop Multiple Vulnerabilities (January 2020 CPU)NessusMisc.
medium
132926SUSE SLED12 / SLES12 Security Update : openssl-1_1 (SUSE-SU-2020:0099-1)NessusSuSE Local Security Checks
medium
132817EulerOS Virtualization for ARM 64 3.0.5.0 : openssl (EulerOS-SA-2020-1063)NessusHuawei Local Security Checks
medium
132815EulerOS Virtualization for ARM 64 3.0.5.0 : compat-openssl10 (EulerOS-SA-2020-1061)NessusHuawei Local Security Checks
low
131617EulerOS 2.0 SP2 : openssl (EulerOS-SA-2019-2464)NessusHuawei Local Security Checks
low
131584EulerOS 2.0 SP2 : openssl110f (EulerOS-SA-2019-2430)NessusHuawei Local Security Checks
low
130807EulerOS 2.0 SP8 : compat-openssl10 (EulerOS-SA-2019-2098)NessusHuawei Local Security Checks
low
130806EulerOS 2.0 SP8 : openssl (EulerOS-SA-2019-2097)NessusHuawei Local Security Checks
medium
130726EulerOS 2.0 SP3 : openssl (EulerOS-SA-2019-2264)NessusHuawei Local Security Checks
low
130716EulerOS 2.0 SP3 : openssl1.1.0f (EulerOS-SA-2019-2254)NessusHuawei Local Security Checks
low
130680EulerOS 2.0 SP5 : openssl110h (EulerOS-SA-2019-2218)NessusHuawei Local Security Checks
low
130678EulerOS 2.0 SP5 : openssl (EulerOS-SA-2019-2216)NessusHuawei Local Security Checks
low
130636GLSA-201911-04 : OpenSSL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
low
130113Photon OS 3.0: Openssl PHSA-2019-3.0-0032NessusPhotonOS Local Security Checks
low
129786Photon OS 1.0: Openssl PHSA-2019-1.0-0252NessusPhotonOS Local Security Checks
low
129692Photon OS 2.0: Openssl PHSA-2019-2.0-0177NessusPhotonOS Local Security Checks
low
129684Photon OS 1.0: Openssl PHSA-2019-1.0-0255NessusPhotonOS Local Security Checks
low
129676SUSE SLED15 / SLES15 Security Update : openssl-1_0_0 (SUSE-SU-2019:2561-1)NessusSuSE Local Security Checks
low
129674SUSE SLED12 / SLES12 Security Update : compat-openssl098 (SUSE-SU-2019:2558-1)NessusSuSE Local Security Checks
low
129670openSUSE Security Update : openssl-1_0_0 (openSUSE-2019-2269)NessusSuSE Local Security Checks
low
129669openSUSE Security Update : openssl-1_0_0 (openSUSE-2019-2268)NessusSuSE Local Security Checks
low
129635Fedora 31 : 1:openssl (2019-9ab7ee6309)NessusFedora Local Security Checks
medium
129528SUSE SLED12 / SLES12 Security Update : openssl-1_0_0 (SUSE-SU-2019:2504-1)NessusSuSE Local Security Checks
low
129513Fedora 29 : 1:openssl (2019-d51641f152)NessusFedora Local Security Checks
medium
129507Debian DSA-4540-1 : openssl1.0 - security updateNessusDebian Local Security Checks
low
129506Debian DSA-4539-1 : openssl - security updateNessusDebian Local Security Checks
medium
129380openSUSE Security Update : openssl-1_1 (openSUSE-2019-2189)NessusSuSE Local Security Checks
low
129362Debian DLA-1932-1 : openssl security updateNessusDebian Local Security Checks
low
129327Fedora 30 : 1:openssl (2019-d15aac6c4e)NessusFedora Local Security Checks
medium
129281openSUSE Security Update : openssl-1_1 (openSUSE-2019-2158)NessusSuSE Local Security Checks
low
129155SUSE SLES12 Security Update : openssl (SUSE-SU-2019:2413-1)NessusSuSE Local Security Checks
low
129153SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2019:2410-1)NessusSuSE Local Security Checks
low
129047SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2019:2403-1)NessusSuSE Local Security Checks
low
129044SUSE SLES12 Security Update : openssl (SUSE-SU-2019:2397-1)NessusSuSE Local Security Checks
low
128751Slackware 14.2 / current : openssl (SSA:2019-254-03)NessusSlackware Local Security Checks
low
128117OpenSSL 1.1.0 < 1.1.0l Multiple VulnerabilitiesNessusWeb Servers
low
128116OpenSSL 1.1.1 < 1.1.1d Multiple VulnerabilitiesNessusWeb Servers
medium
128115OpenSSL 1.0.2 < 1.0.2t Multiple VulnerabilitiesNessusWeb Servers
low