Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-1559

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Published

2019-02-27T23:29:00.277

Last Modified

2024-11-21T04:36:48.960

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openssl	openssl	< 1.0.2r	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes
Operating System	canonical	ubuntu_linux	18.10	Yes
Operating System	debian	debian_linux	8.0	Yes
Operating System	debian	debian_linux	9.0	Yes
Application	netapp	active_iq_unified_manager	≥ 7.3	Yes
Application	netapp	active_iq_unified_manager	≥ 9.5	Yes
Application	netapp	active_iq_unified_manager	-	Yes
Application	netapp	altavault	-	Yes
Application	netapp	cloud_backup	-	Yes
Application	netapp	clustered_data_ontap_antivirus_connector	-	Yes
Application	netapp	element_software	-	Yes
Application	netapp	hci_management_node	-	Yes
Application	netapp	hyper_converged_infrastructure	-	Yes
Application	netapp	oncommand_insight	-	Yes
Application	netapp	oncommand_unified_manager	-	Yes
Application	netapp	oncommand_unified_manager	-	Yes
Application	netapp	oncommand_unified_manager_core_package	-	Yes
Application	netapp	oncommand_workflow_automation	-	Yes
Application	netapp	ontap_select_deploy	-	Yes
Application	netapp	ontap_select_deploy_administration_utility	-	Yes
Application	netapp	santricity_smi-s_provider	-	Yes
Application	netapp	service_processor	-	Yes
Application	netapp	smi-s_provider	-	Yes
Application	netapp	snapcenter	-	Yes
Application	netapp	snapdrive	-	Yes
Application	netapp	snapdrive	-	Yes
Application	netapp	snapprotect	-	Yes
Application	netapp	solidfire	-	Yes
Application	netapp	steelstore_cloud_integrated_storage	-	Yes
Application	netapp	storage_automation_store	-	Yes
Application	netapp	storagegrid	≤ 9.0.4	Yes
Application	netapp	storagegrid	-	Yes
Hardware	netapp	hci_compute_node	-	Yes
Application	f5	big-ip_access_policy_manager	≤ 12.1.5	Yes
Application	f5	big-ip_access_policy_manager	≤ 13.1.3	Yes
Application	f5	big-ip_access_policy_manager	≤ 14.1.2	Yes
Application	f5	big-ip_access_policy_manager	≤ 15.1.0	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 12.1.5	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 13.1.3	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 14.1.2	Yes
Application	f5	big-ip_advanced_firewall_manager	≤ 15.1.0	Yes
Application	f5	big-ip_analytics	≤ 12.1.5	Yes
Application	f5	big-ip_analytics	≤ 13.1.3	Yes
Application	f5	big-ip_analytics	≤ 14.1.2	Yes
Application	f5	big-ip_analytics	≤ 15.1.0	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 12.1.5	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 13.1.3	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 14.1.2	Yes
Application	f5	big-ip_application_acceleration_manager	≤ 15.1.0	Yes
Application	f5	big-ip_application_security_manager	≤ 12.1.5	Yes
Application	f5	big-ip_application_security_manager	≤ 13.1.3	Yes
Application	f5	big-ip_application_security_manager	≤ 14.1.2	Yes
Application	f5	big-ip_application_security_manager	≤ 15.1.0	Yes
Application	f5	big-ip_domain_name_system	≤ 12.1.5	Yes
Application	f5	big-ip_domain_name_system	≤ 13.1.3	Yes
Application	f5	big-ip_domain_name_system	≤ 14.1.2	Yes
Application	f5	big-ip_domain_name_system	≤ 15.1.0	Yes
Application	f5	big-ip_edge_gateway	≤ 12.1.5	Yes
Application	f5	big-ip_edge_gateway	≤ 13.1.3	Yes
Application	f5	big-ip_edge_gateway	≤ 14.1.2	Yes
Application	f5	big-ip_edge_gateway	≤ 15.1.0	Yes
Application	f5	big-ip_fraud_protection_service	≤ 12.1.5	Yes
Application	f5	big-ip_fraud_protection_service	≤ 13.1.3	Yes
Application	f5	big-ip_fraud_protection_service	≤ 14.1.2	Yes
Application	f5	big-ip_fraud_protection_service	≤ 15.1.0	Yes
Application	f5	big-ip_global_traffic_manager	≤ 12.1.5	Yes
Application	f5	big-ip_global_traffic_manager	≤ 13.1.3	Yes
Application	f5	big-ip_global_traffic_manager	≤ 14.1.2	Yes
Application	f5	big-ip_global_traffic_manager	≤ 15.1.0	Yes
Application	f5	big-ip_link_controller	≤ 12.1.5	Yes
Application	f5	big-ip_link_controller	≤ 13.1.3	Yes
Application	f5	big-ip_link_controller	≤ 14.1.2	Yes
Application	f5	big-ip_link_controller	≤ 15.1.0	Yes
Application	f5	big-ip_local_traffic_manager	≤ 12.1.5	Yes
Application	f5	big-ip_local_traffic_manager	≤ 13.1.3	Yes
Application	f5	big-ip_local_traffic_manager	≤ 14.1.2	Yes
Application	f5	big-ip_local_traffic_manager	≤ 15.1.0	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 12.1.5	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 13.1.3	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 14.1.2	Yes
Application	f5	big-ip_policy_enforcement_manager	≤ 15.1.0	Yes
Application	f5	big-ip_webaccelerator	≤ 12.1.5	Yes
Application	f5	big-ip_webaccelerator	≤ 13.1.3	Yes
Application	f5	big-ip_webaccelerator	≤ 14.1.2	Yes
Application	f5	big-ip_webaccelerator	≤ 15.1.0	Yes
Application	f5	big-iq_centralized_management	≤ 6.1.0	Yes
Application	f5	big-iq_centralized_management	≤ 7.1.0	Yes
Application	f5	traffix_signaling_delivery_controller	≤ 5.1.0	Yes
Application	f5	traffix_signaling_delivery_controller	4.4.0	Yes
Application	tenable	nessus	≤ 8.2.3	Yes
Operating System	opensuse	leap	15.0	Yes
Operating System	opensuse	leap	15.1	Yes
Operating System	opensuse	leap	42.3	Yes
Operating System	netapp	cn1610_firmware	-	Yes
Hardware	netapp	cn1610	-	No
Operating System	netapp	a320_firmware	-	Yes
Hardware	netapp	a320	-	No
Operating System	netapp	c190_firmware	-	Yes
Hardware	netapp	c190	-	No
Operating System	netapp	a220_firmware	-	Yes
Hardware	netapp	a220	-	No
Operating System	netapp	fas2720_firmware	-	Yes
Hardware	netapp	fas2720	-	No
Operating System	netapp	fas2750_firmware	-	Yes
Hardware	netapp	fas2750	-	No
Operating System	netapp	a800_firmware	-	Yes
Hardware	netapp	a800	-	No
Operating System	fedoraproject	fedora	29	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	fedoraproject	fedora	31	Yes
Application	mcafee	agent	≤ 5.6.4	Yes
Application	mcafee	data_exchange_layer	< 6.0.0	Yes
Application	mcafee	threat_intelligence_exchange_server	< 3.0.0	Yes
Application	mcafee	web_gateway	< 9.0.0	Yes
Application	redhat	jboss_enterprise_web_server	5.0.0	Yes
Operating System	redhat	enterprise_linux	6.0	No
Operating System	redhat	enterprise_linux	7.0	No
Operating System	redhat	enterprise_linux	8.0	No
Application	redhat	virtualization	4.0	Yes
Application	redhat	virtualization_host	4.0	Yes
Operating System	redhat	enterprise_linux	7.0	No
Operating System	redhat	enterprise_linux_desktop	6.0	Yes
Operating System	redhat	enterprise_linux_desktop	7.0	Yes
Operating System	redhat	enterprise_linux_server	6.0	Yes
Operating System	redhat	enterprise_linux_server	7.0	Yes
Operating System	redhat	enterprise_linux_workstation	6.0	Yes
Operating System	redhat	enterprise_linux_workstation	7.0	Yes
Application	oracle	api_gateway	11.1.2.4.0	Yes
Application	oracle	business_intelligence	11.1.1.9.0	Yes
Application	oracle	business_intelligence	12.2.1.3.0	Yes
Application	oracle	business_intelligence	12.2.1.4.0	Yes
Application	oracle	communications_diameter_signaling_router	8.0.0	Yes
Application	oracle	communications_diameter_signaling_router	8.1	Yes
Application	oracle	communications_diameter_signaling_router	8.2	Yes
Application	oracle	communications_diameter_signaling_router	8.3	Yes
Application	oracle	communications_diameter_signaling_router	8.4	Yes
Application	oracle	communications_performance_intelligence_center	10.4.0.2	Yes
Application	oracle	communications_session_border_controller	7.4	Yes
Application	oracle	communications_session_border_controller	8.0.0	Yes
Application	oracle	communications_session_border_controller	8.1.0	Yes
Application	oracle	communications_session_border_controller	8.2	Yes
Application	oracle	communications_session_border_controller	8.3	Yes
Application	oracle	communications_session_router	7.4	Yes
Application	oracle	communications_session_router	8.0	Yes
Application	oracle	communications_session_router	8.1	Yes
Application	oracle	communications_session_router	8.2	Yes
Application	oracle	communications_session_router	8.3	Yes
Application	oracle	communications_unified_session_manager	7.3.5	Yes
Application	oracle	communications_unified_session_manager	8.2.5	Yes
Application	oracle	endeca_server	7.7.0	Yes
Application	oracle	enterprise_manager_base_platform	12.1.0.5.0	Yes
Application	oracle	enterprise_manager_base_platform	13.2.0.0.0	Yes
Application	oracle	enterprise_manager_base_platform	13.3.0.0.0	Yes
Application	oracle	enterprise_manager_ops_center	12.3.3	Yes
Application	oracle	enterprise_manager_ops_center	12.4.0	Yes
Application	oracle	jd_edwards_enterpriseone_tools	9.2	Yes
Application	oracle	jd_edwards_world_security	a9.3	Yes
Application	oracle	jd_edwards_world_security	a9.3.1	Yes
Application	oracle	jd_edwards_world_security	a9.4	Yes
Application	oracle	mysql	≤ 5.6.43	Yes
Application	oracle	mysql	≤ 5.7.25	Yes
Application	oracle	mysql	≤ 8.0.15	Yes
Application	oracle	mysql_enterprise_monitor	≤ 4.0.8	Yes
Application	oracle	mysql_enterprise_monitor	≤ 8.0.14	Yes
Application	oracle	mysql_workbench	≤ 8.0.16	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.55	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.56	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.57	Yes
Application	oracle	secure_global_desktop	5.4	Yes
Application	oracle	services_tools_bundle	19.2	Yes
Operating System	paloaltonetworks	pan-os	< 7.1.15	Yes
Operating System	paloaltonetworks	pan-os	< 8.0.20	Yes
Operating System	paloaltonetworks	pan-os	< 8.1.8	Yes
Operating System	paloaltonetworks	pan-os	< 9.0.2	Yes
Application	nodejs	node.js	≤ 6.8.1	Yes
Application	nodejs	node.js	< 6.17.0	Yes
Application	nodejs	node.js	≤ 8.8.1	Yes
Application	nodejs	node.js	< 8.15.1	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html Mailing List, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/107174 Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/errata/RHSA-2019:2304 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2437 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2439 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2471 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3929 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3931 Third Party Advisory ([email protected])
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e ([email protected])
https://kc.mcafee.com/corporate/index?page=content&id=SB10282 Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/ ([email protected])
https://security.gentoo.org/glsa/201903-10 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190301-0001/ Patch, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190301-0002/ Broken Link, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190423-0002/ Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K18549143 Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS ([email protected])
https://usn.ubuntu.com/3899-1/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/4376-2/ Broken Link ([email protected])
https://www.debian.org/security/2019/dsa-4400 Third Party Advisory ([email protected])
https://www.openssl.org/news/secadv/20190226.txt Vendor Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch, Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2019-02 Patch, Third Party Advisory ([email protected])
https://www.tenable.com/security/tns-2019-03 Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/107174 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2304 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2437 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2439 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2471 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3929 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3931 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e (af854a3a-2127-422b-91ae-364da2661108)
https://kc.mcafee.com/corporate/index?page=content&id=SB10282 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/ (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/201903-10 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190301-0001/ Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190301-0002/ Broken Link, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190423-0002/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K18549143 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/3899-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4376-2/ Broken Link (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4400 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.openssl.org/news/secadv/20190226.txt Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2020.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2019-02 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.tenable.com/security/tns-2019-03 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)