CVE-2019-1559

CWE-203 CWE-32517 documents10 sources

Severity

5.9MEDIUM

EPSS

5.0%

top 10.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcafee Data Exchange Layer Mcafee Threat Intelligence Exchange Server Mcafee WEB Gateway +50 more

Timeline

PublishedFeb 27

Latest updateMay 13

Description

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt dat…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages52 packages

▶NVDf5/big-ip_application_security_manager12.1.0 — 12.1.5+3

▶NVDf5/big-ip_application_acceleration_manager12.1.0 — 12.1.5+3

▶NVDopenssl/openssl1.0.2 — 1.0.2r

▶Debianopenssl< 1.1.0b-2+3

▶CVEListV5openssl/opensslFixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)

Also affects: Debian Linux 8.0, 9.0, Fedora 29, 30, 31, Ubuntu Linux 16.04, 18.04, 18.10

Patches

Patch: security.netapp.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-9ccq-7hvh-cv7p: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then Op↗2022-05-13

▶

OSV

openssl vulnerabilities↗2020-07-09

▶

CVEList

0-byte record padding oracle↗2019-02-27

▶

OSV

CVE-2019-1559: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then Op↗2019-02-27

▶

💥Exploits & PoCs

Exploit-DB

Kepler Wallpaper Script 1.1 - SQL Injection↗2019-01-21

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Security (OpenSSL) — CVE-2019-1559↗2021-01-15

▶

Ubuntu

OpenSSL vulnerabilities↗2020-07-09

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Platform (OpenSSL) — CVE-2019-1559↗2020-01-15

▶

Ubuntu

OpenSSL vulnerability↗2019-02-27

▶

Red Hat

openssl: 0-byte record padding oracle↗2019-02-26

▶

💬Community

Bugzilla

CVE-2019-1559 mingw-openssl: openssl: 0-byte record padding oracle [epel-7]↗2019-02-27

▶

Bugzilla

CVE-2019-1559 compat-openssl10: openssl: 0-byte record padding oracle [fedora-all]↗2019-02-27

▶

Bugzilla

CVE-2019-1559 openssl: 0-byte record padding oracle↗2019-02-27

▶

Bugzilla

CVE-2019-1559 openssl: 0-byte record padding oracle [fedora-all]↗2019-02-27

▶

Bugzilla

CVE-2019-1559 mingw-openssl: openssl: 0-byte record padding oracle [fedora-all]↗2019-02-27

▶

External resources

NVD MITRE

Affected products53

Canonical Ubuntu Linuxv16.04v18.04v18.10

Debian Debian Linuxv8.0v9.0

F5 Big-ip Access Policy Manager≥ 12.1.0, ≤ 12.1.5≥ 13.0.0, ≤ 13.1.3≥ 14.0.0, ≤ 14.1.2+1 more

F5 Big-ip Advanced Firewall Manager≥ 12.1.0, ≤ 12.1.5≥ 13.0.0, ≤ 13.1.3≥ 14.0.0, ≤ 14.1.2+1 more

F5 Big-ip Analytics≥ 12.1.0, ≤ 12.1.5≥ 13.0.0, ≤ 13.1.3≥ 14.0.0, ≤ 14.1.2+1 more

F5 Big-ip Application Acceleration Manager≥ 12.1.0, ≤ 12.1.5≥ 13.0.0, ≤ 13.1.3≥ 14.0.0, ≤ 14.1.2+1 more

F5 Big-ip Application Security Manager≥ 12.1.0, ≤ 12.1.5≥ 13.0.0, ≤ 13.1.3≥ 14.0.0, ≤ 14.1.2+1 more

F5 Big-ip Domain Name System≥ 12.1.0, ≤ 12.1.5≥ 13.0.0, ≤ 13.1.3≥ 14.0.0, ≤ 14.1.2+1 more

F5 Big-ip Edge Gateway≥ 12.1.0, ≤ 12.1.5≥ 13.0.0, ≤ 13.1.3≥ 14.0.0, ≤ 14.1.2+1 more

F5 Big-ip Fraud Protection Service≥ 12.1.0, ≤ 12.1.5≥ 13.0.0, ≤ 13.1.3≥ 14.0.0, ≤ 14.1.2+1 more

Disclosure

PublishedFeb 27, 2019

Latest updateMay 13, 2022