CVE-2019-1563 — Observable Discrepancy in Openssl

CWE-203 — Observable Discrepancy CWE-327 — Use of a Broken or Risky Cryptographic Algorithm CWE-311 — Missing Encryption of Sensitive Data CWE-200 — Sensitive Information Exposure21 documents10 sources

Severity

3.7LOWNVD

OSV4.7

EPSS

1.3%

top 20.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Paloalto Cortex XDR

Timeline

PublishedSep 10

Latest updateNov 7

Description

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functi…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages6 packages

▶debiandebian/openssl< openssl 1.1.1d-1 (bookworm)

▶Debianopenssl/openssl< 1.1.1d-1+3

▶Ubuntuopenssl/openssl< 1.0.2g-1ubuntu4.16+3

▶NVDopenssl/openssl1.0.2 — 1.0.2s+2

▶CVEListV5openssl/opensslFixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s), Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k), Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)+2

🔴Vulnerability Details

GHSA

GHSA-rv3r-f48w-6vvh: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very la↗2022-05-24

▶

OSV

openssl, openssl1.0 vulnerabilities↗2020-09-16

▶

OSV

openssl vulnerabilities↗2020-07-09

▶

OSV

openssl vulnerabilities↗2020-05-28

▶

OSV

CVE-2019-1563: In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very la↗2019-09-10

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0014 Informational Bulletin: Impact of OSS CVEs in Cortex XDR Agent↗2024-11-07

▶

CISA ICS

Hitachi Energy APM Edge (Update A)↗2021-12-02

▶

Ubuntu

OpenSSL vulnerabilities↗2020-09-16

▶

Ubuntu

OpenSSL vulnerabilities↗2020-07-09

▶

Ubuntu

OpenSSL vulnerabilities↗2020-05-28

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2019-1551 openssl: Integer overflow in RSAZ modular exponentiation on x86_64↗2019-12-09

▶

Bugzilla

CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey [fedora-all]↗2019-09-13

▶

Bugzilla

CVE-2019-1549 openssl: information disclosure in fork()↗2019-09-13

▶

Bugzilla

CVE-2019-1563 mingw-openssl: openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey [epel-7]↗2019-09-13

▶

Bugzilla

CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey↗2019-09-13

▶