Lucene search

[email protected]NVD:CVE-2019-1559

HistoryFeb 27, 2019 - 11:29 p.m.

CVE-2019-1559

2019-02-2723:29:00

CWE-203

[email protected]

web.nvd.nist.gov

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6 Medium

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.9%

JSON

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable “non-stitched” ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Affected configurations

NVD

Node

opensslopensslRange1.0.2–1.0.2r

Node

canonicalubuntu_linuxMatch16.04esm

canonicalubuntu_linuxMatch18.04lts

canonicalubuntu_linuxMatch18.10

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

Node

netappactive_iq_unified_managerRange7.3≥windows

netappactive_iq_unified_managerRange9.5≥vmware_vsphere

netappactive_iq_unified_managerMatch-windows

netappaltavaultMatch-

netappcloud_backupMatch-

netappclustered_data_ontap_antivirus_connectorMatch-

netappelement_softwareMatch-

netapphci_management_nodeMatch-

netapphyper_converged_infrastructureMatch-

netapponcommand_insightMatch-

netapponcommand_unified_managerMatch-

netapponcommand_unified_managerMatch-vsphere

netapponcommand_unified_manager_core_packageMatch-

netapponcommand_workflow_automationMatch-

netappontap_select_deployMatch-

netappontap_select_deploy_administration_utilityMatch-

netappsantricity_smi-s_providerMatch-

netappservice_processorMatch-

netappsmi-s_providerMatch-

netappsnapcenterMatch-

netappsnapdriveMatch-unix

netappsnapdriveMatch-windows

netappsnapprotectMatch-

netappsolidfireMatch-

netappsteelstore_cloud_integrated_storageMatch-

netappstorage_automation_storeMatch-

netappstoragegridRange9.0.0–9.0.4

netappstoragegridMatch-

netapphci_compute_nodeMatch-

Node

f5big-ip_access_policy_managerRange12.1.0–12.1.5

f5big-ip_access_policy_managerRange13.0.0–13.1.3

f5big-ip_access_policy_managerRange14.0.0–14.1.2

f5big-ip_access_policy_managerRange15.0.0–15.1.0

f5big-ip_advanced_firewall_managerRange12.1.0–12.1.5

f5big-ip_advanced_firewall_managerRange13.0.0–13.1.3

f5big-ip_advanced_firewall_managerRange14.0.0–14.1.2

f5big-ip_advanced_firewall_managerRange15.0.0–15.1.0

f5big-ip_analyticsRange12.1.0–12.1.5

f5big-ip_analyticsRange13.0.0–13.1.3

f5big-ip_analyticsRange14.0.0–14.1.2

f5big-ip_analyticsRange15.0.0–15.1.0

f5big-ip_application_acceleration_managerRange12.1.0–12.1.5

f5big-ip_application_acceleration_managerRange13.0.0–13.1.3

f5big-ip_application_acceleration_managerRange14.0.0–14.1.2

f5big-ip_application_acceleration_managerRange15.0.0–15.1.0

f5big-ip_application_security_managerRange12.1.0–12.1.5

f5big-ip_application_security_managerRange13.0.0–13.1.3

f5big-ip_application_security_managerRange14.0.0–14.1.2

f5big-ip_application_security_managerRange15.0.0–15.1.0

f5big-ip_domain_name_systemRange12.1.0–12.1.5

f5big-ip_domain_name_systemRange13.0.0–13.1.3

f5big-ip_domain_name_systemRange14.0.0–14.1.2

f5big-ip_domain_name_systemRange15.0.0–15.1.0

f5big-ip_edge_gatewayRange12.1.0–12.1.5

f5big-ip_edge_gatewayRange13.0.0–13.1.3

f5big-ip_edge_gatewayRange14.0.0–14.1.2

f5big-ip_edge_gatewayRange15.0.0–15.1.0

f5big-ip_fraud_protection_serviceRange12.1.0–12.1.5

f5big-ip_fraud_protection_serviceRange13.0.0–13.1.3

f5big-ip_fraud_protection_serviceRange14.0.0–14.1.2

f5big-ip_fraud_protection_serviceRange15.0.0–15.1.0

f5big-ip_global_traffic_managerRange12.1.0–12.1.5

f5big-ip_global_traffic_managerRange13.0.0–13.1.3

f5big-ip_global_traffic_managerRange14.0.0–14.1.2

f5big-ip_global_traffic_managerRange15.0.0–15.1.0

f5big-ip_link_controllerRange12.1.0–12.1.5

f5big-ip_link_controllerRange13.0.0–13.1.3

f5big-ip_link_controllerRange14.0.0–14.1.2

f5big-ip_link_controllerRange15.0.0–15.1.0

f5big-ip_local_traffic_managerRange12.1.0–12.1.5

f5big-ip_local_traffic_managerRange13.0.0–13.1.3

f5big-ip_local_traffic_managerRange14.0.0–14.1.2

f5big-ip_local_traffic_managerRange15.0.0–15.1.0

f5big-ip_policy_enforcement_managerRange12.1.0–12.1.5

f5big-ip_policy_enforcement_managerRange13.0.0–13.1.3

f5big-ip_policy_enforcement_managerRange14.0.0–14.1.2

f5big-ip_policy_enforcement_managerRange15.0.0–15.1.0

f5big-ip_webacceleratorRange12.1.0–12.1.5

f5big-ip_webacceleratorRange13.0.0–13.1.3

f5big-ip_webacceleratorRange14.0.0–14.1.2

f5big-ip_webacceleratorRange15.0.0–15.1.0

f5big-iq_centralized_managementRange6.0.0–6.1.0

f5big-iq_centralized_managementRange7.0.0–7.1.0

f5traffix_signaling_delivery_controllerRange5.0.0–5.1.0

f5traffix_signaling_delivery_controllerMatch4.4.0

Node

tenablenessusRange≤8.2.3

Node

opensuseleapMatch15.0

opensuseleapMatch15.1

opensuseleapMatch42.3

Node

netappcn1610_firmwareMatch-

AND

netappcn1610Match-

Node

netappa320_firmwareMatch-

AND

netappa320Match-

Node

netappc190_firmwareMatch-

AND

netappc190Match-

Node

netappa220_firmwareMatch-

AND

netappa220Match-

Node

netappfas2720_firmwareMatch-

AND

netappfas2720Match-

Node

netappfas2750_firmwareMatch-

AND

netappfas2750Match-

Node

netappa800_firmwareMatch-

AND

netappa800Match-

Node

fedoraprojectfedoraMatch29

fedoraprojectfedoraMatch30

fedoraprojectfedoraMatch31

Node

mcafeeagentRange5.6.0–5.6.4

mcafeedata_exchange_layerRange4.0.0–6.0.0

mcafeethreat_intelligence_exchange_serverRange2.0.0–3.0.0

mcafeeweb_gatewayRange7.0.0–9.0.0

Node

redhatjboss_enterprise_web_serverMatch5.0.0

AND

redhatenterprise_linuxMatch6.0

redhatenterprise_linuxMatch7.0

redhatenterprise_linuxMatch8.0

Node

redhatvirtualizationMatch4.0

redhatvirtualization_hostMatch4.0

AND

redhatenterprise_linuxMatch7.0

Node

redhatenterprise_linux_desktopMatch6.0

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_workstationMatch6.0

redhatenterprise_linux_workstationMatch7.0

Node

oracleapi_gatewayMatch11.1.2.4.0

oraclebusiness_intelligenceMatch11.1.1.9.0enterprise

oraclebusiness_intelligenceMatch12.2.1.3.0enterprise

oraclebusiness_intelligenceMatch12.2.1.4.0enterprise

oraclecommunications_diameter_signaling_routerMatch8.0.0

oraclecommunications_diameter_signaling_routerMatch8.1

oraclecommunications_diameter_signaling_routerMatch8.2

oraclecommunications_diameter_signaling_routerMatch8.3

oraclecommunications_diameter_signaling_routerMatch8.4

oraclecommunications_performance_intelligence_centerMatch10.4.0.2

oraclecommunications_session_border_controllerMatch7.4

oraclecommunications_session_border_controllerMatch8.0.0

oraclecommunications_session_border_controllerMatch8.1.0

oraclecommunications_session_border_controllerMatch8.2

oraclecommunications_session_border_controllerMatch8.3

oraclecommunications_session_routerMatch7.4

oraclecommunications_session_routerMatch8.0

oraclecommunications_session_routerMatch8.1

oraclecommunications_session_routerMatch8.2

oraclecommunications_session_routerMatch8.3

oraclecommunications_unified_session_managerMatch7.3.5

oraclecommunications_unified_session_managerMatch8.2.5

oracleendeca_serverMatch7.7.0

oracleenterprise_manager_base_platformMatch12.1.0.5.0

oracleenterprise_manager_base_platformMatch13.2.0.0.0

oracleenterprise_manager_base_platformMatch13.3.0.0.0

oracleenterprise_manager_ops_centerMatch12.3.3

oracleenterprise_manager_ops_centerMatch12.4.0

oraclejd_edwards_enterpriseone_toolsMatch9.2

oraclejd_edwards_world_securityMatcha9.3

oraclejd_edwards_world_securityMatcha9.3.1

oraclejd_edwards_world_securityMatcha9.4

oraclemysqlRange5.6.0–5.6.43

oraclemysqlRange5.7.0–5.7.25

oraclemysqlRange8.0.0–8.0.15

oraclemysql_enterprise_monitorRange≤4.0.8

oraclemysql_enterprise_monitorRange8.0.0–8.0.14

oraclemysql_workbenchRange≤8.0.16

oraclepeoplesoft_enterprise_peopletoolsMatch8.55

oraclepeoplesoft_enterprise_peopletoolsMatch8.56

oraclepeoplesoft_enterprise_peopletoolsMatch8.57

oraclesecure_global_desktopMatch5.4

oracleservices_tools_bundleMatch19.2

Node

paloaltonetworkspan-osRange7.1.0–7.1.15

paloaltonetworkspan-osRange8.0.0–8.0.20

paloaltonetworkspan-osRange8.1.0–8.1.8

paloaltonetworkspan-osRange9.0.0–9.0.2

Node

nodejsnode.jsRange6.0.0–6.8.1-

nodejsnode.jsRange6.9.0–6.17.0lts

nodejsnode.jsRange8.0.0–8.8.1-

nodejsnode.jsRange8.9.0–8.15.1lts

References

lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html

lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html

lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html

lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html

lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html

lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html

www.securityfocus.com/bid/107174

access.redhat.com/errata/RHSA-2019:2304

access.redhat.com/errata/RHSA-2019:2437

access.redhat.com/errata/RHSA-2019:2439

access.redhat.com/errata/RHSA-2019:2471

access.redhat.com/errata/RHSA-2019:3929

access.redhat.com/errata/RHSA-2019:3931

git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e

kc.mcafee.com/corporate/index?page=content&id=SB10282

lists.debian.org/debian-lts-announce/2019/03/msg00003.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/

security.gentoo.org/glsa/201903-10

security.netapp.com/advisory/ntap-20190301-0001/

security.netapp.com/advisory/ntap-20190301-0002/

security.netapp.com/advisory/ntap-20190423-0002/

support.f5.com/csp/article/K18549143

support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS

usn.ubuntu.com/3899-1/

usn.ubuntu.com/4376-2/

www.debian.org/security/2019/dsa-4400

www.openssl.org/news/secadv/20190226.txt

www.oracle.com/security-alerts/cpujan2020.html

www.oracle.com/security-alerts/cpujan2021.html

www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

www.tenable.com/security/tns-2019-02

www.tenable.com/security/tns-2019-03

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6 Medium

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.9%

JSON

CVE-2019-1559

Affected configurations

References

Related