CVE-2019-1563
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5.2 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.015 Low
EPSS
Percentile
86.8%
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
| CPE | Name | Operator | Version |
|---|---|---|---|
| openssl:openssl | openssl | le | 1.1.1c |
| openssl:openssl | openssl | le | 1.0.2s |
| openssl:openssl | openssl | le | 1.1.0k |
References
lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64
git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97
git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
kc.mcafee.com/corporate/index?page=content&id=SB10365
lists.debian.org/debian-lts-announce/2019/09/msg00026.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
seclists.org/bugtraq/2019/Oct/0
seclists.org/bugtraq/2019/Oct/1
seclists.org/bugtraq/2019/Sep/25
security.gentoo.org/glsa/201911-04
security.netapp.com/advisory/ntap-20190919-0002/
support.f5.com/csp/article/K97324400?utm_source=f5support&%3Butm_medium=RSS
usn.ubuntu.com/4376-1/
usn.ubuntu.com/4376-2/
usn.ubuntu.com/4504-1/
www.debian.org/security/2019/dsa-4539
www.debian.org/security/2019/dsa-4540
www.openssl.org/news/secadv/20190910.txt
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpujan2020.html
www.oracle.com/security-alerts/cpujul2020.html
www.oracle.com/security-alerts/cpuoct2020.html
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
www.tenable.com/security/tns-2019-09
Social References
More
Related
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5.2 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.015 Low
EPSS
Percentile
86.8%