Veracode Vulnerability DatabaseVERACODE:13389Padding Oracle Attack
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
openssl is vulnerable to padding oracle attacks. In the event of a fatal protocol error and SSL_shutdown() is called twice, an attacker is able to perform a padding oracle attack to decrypt data by sending a 0 byte record with invalid padding, causing the application to behave differently due to various error codes. The attack will then be successful if the attacker is able to detect these application behaviors.
References
lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html
lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html
lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html
lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html
www.securityfocus.com/bid/107174
access.redhat.com/errata/RHSA-2019:2304
access.redhat.com/errata/RHSA-2019:2437
access.redhat.com/errata/RHSA-2019:2439
access.redhat.com/errata/RHSA-2019:2471
access.redhat.com/errata/RHSA-2019:3929
access.redhat.com/errata/RHSA-2019:3931
git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
kc.mcafee.com/corporate/index?page=content&id=SB10282
lists.debian.org/debian-lts-announce/2019/03/msg00003.html
lists.fedoraproject.org/archives/list/[email protected]/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
lists.fedoraproject.org/archives/list/[email protected]/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
lists.fedoraproject.org/archives/list/[email protected]/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
security.gentoo.org/glsa/201903-10
security.netapp.com/advisory/ntap-20190301-0001/
security.netapp.com/advisory/ntap-20190301-0002/
security.netapp.com/advisory/ntap-20190423-0002/
support.f5.com/csp/article/K18549143
support.f5.com/csp/article/K18549143?utm_source=f5support&utm_medium=RSS
usn.ubuntu.com/3899-1/
usn.ubuntu.com/4376-2/
www.debian.org/security/2019/dsa-4400
www.openssl.org/news/secadv/20190226.txt
www.oracle.com/security-alerts/cpujan2020.html
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
www.tenable.com/security/tns-2019-02
www.tenable.com/security/tns-2019-03
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N