Lucene search

K
freebsdFreeBSD7700061F-34F7-11E9-B95C-B499BAEBFEAF
HistoryFeb 19, 2019 - 12:00 a.m.

OpenSSL -- Padding oracle vulnerability

2019-02-1900:00:00
vuxml.freebsd.org
46

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.01

Percentile

83.8%

The OpenSSL project reports:

0-byte record padding oracle (CVE-2019-1559) (Moderate)
If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive
one) then OpenSSL can respond differently to the calling application if
a 0 byte record is received with invalid padding compared to if a 0 byte
record is received with an invalid MAC. If the application then behaves
differently based on that in a way that is detectable to the remote peer,
then this amounts to a padding oracle that could be used to decrypt data.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchopenssl< 1.0.2r,1UNKNOWN
FreeBSDanynoarchlinux-c6-openssl< 1.0.1e_16UNKNOWN

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.01

Percentile

83.8%