CVE-2019-1559
Summary
| CVE | CVE-2019-1559 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-02-27 23:29:00 UTC |
| Updated | 2023-11-07 03:08:00 UTC |
| Description | If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). |
Risk And Classification
Problem Types: CWE-203
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.10 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.10 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | F5 | Big-ip Access Policy Manager | All | All | All | All |
| Application | F5 | Big-ip Access Policy Manager | All | All | All | All |
| Application | F5 | Big-ip Access Policy Manager | All | All | All | All |
| Application | F5 | Big-ip Access Policy Manager | All | All | All | All |
| Application | F5 | Big-ip Advanced Firewall Manager | All | All | All | All |
| Application | F5 | Big-ip Advanced Firewall Manager | All | All | All | All |
| Application | F5 | Big-ip Advanced Firewall Manager | All | All | All | All |
| Application | F5 | Big-ip Advanced Firewall Manager | All | All | All | All |
| Application | F5 | Big-ip Analytics | All | All | All | All |
| Application | F5 | Big-ip Analytics | All | All | All | All |
| Application | F5 | Big-ip Analytics | All | All | All | All |
| Application | F5 | Big-ip Analytics | All | All | All | All |
| Application | F5 | Big-ip Application Acceleration Manager | All | All | All | All |
| Application | F5 | Big-ip Application Acceleration Manager | All | All | All | All |
| Application | F5 | Big-ip Application Acceleration Manager | All | All | All | All |
| Application | F5 | Big-ip Application Acceleration Manager | All | All | All | All |
| Application | F5 | Big-ip Application Security Manager | All | All | All | All |
| Application | F5 | Big-ip Application Security Manager | All | All | All | All |
| Application | F5 | Big-ip Application Security Manager | All | All | All | All |
| Application | F5 | Big-ip Application Security Manager | All | All | All | All |
| Application | F5 | Big-ip Domain Name System | All | All | All | All |
| Application | F5 | Big-ip Domain Name System | All | All | All | All |
| Application | F5 | Big-ip Domain Name System | All | All | All | All |
| Application | F5 | Big-ip Domain Name System | All | All | All | All |
| Application | F5 | Big-ip Edge Gateway | All | All | All | All |
| Application | F5 | Big-ip Edge Gateway | All | All | All | All |
| Application | F5 | Big-ip Edge Gateway | All | All | All | All |
| Application | F5 | Big-ip Edge Gateway | All | All | All | All |
| Application | F5 | Big-ip Fraud Protection Service | All | All | All | All |
| Application | F5 | Big-ip Fraud Protection Service | All | All | All | All |
| Application | F5 | Big-ip Fraud Protection Service | All | All | All | All |
| Application | F5 | Big-ip Fraud Protection Service | All | All | All | All |
| Application | F5 | Big-ip Global Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Global Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Global Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Global Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Link Controller | All | All | All | All |
| Application | F5 | Big-ip Link Controller | All | All | All | All |
| Application | F5 | Big-ip Link Controller | All | All | All | All |
| Application | F5 | Big-ip Link Controller | All | All | All | All |
| Application | F5 | Big-ip Local Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Local Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Local Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Local Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Policy Enforcement Manager | All | All | All | All |
| Application | F5 | Big-ip Policy Enforcement Manager | All | All | All | All |
| Application | F5 | Big-ip Policy Enforcement Manager | All | All | All | All |
| Application | F5 | Big-ip Policy Enforcement Manager | All | All | All | All |
| Application | F5 | Big-ip Webaccelerator | All | All | All | All |
| Application | F5 | Big-ip Webaccelerator | All | All | All | All |
| Application | F5 | Big-ip Webaccelerator | All | All | All | All |
| Application | F5 | Big-ip Webaccelerator | All | All | All | All |
| Application | F5 | Big-iq Centralized Management | All | All | All | All |
| Application | F5 | Big-iq Centralized Management | All | All | All | All |
| Application | F5 | Traffix Signaling Delivery Controller | 4.4.0 | All | All | All |
| Application | F5 | Traffix Signaling Delivery Controller | 4.4.0 | All | All | All |
| Application | F5 | Traffix Signaling Delivery Controller | All | All | All | All |
| Operating System | Fedoraproject | Fedora | 29 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Application | Mcafee | Agent | All | All | All | All |
| Application | Mcafee | Data Exchange Layer | All | All | All | All |
| Application | Mcafee | Threat Intelligence Exchange Server | All | All | All | All |
| Application | Mcafee | Web Gateway | All | All | All | All |
| Hardware | Netapp | A220 | - | All | All | All |
| Operating System | Netapp | A220 Firmware | - | All | All | All |
| Hardware | Netapp | A320 | - | All | All | All |
| Operating System | Netapp | A320 Firmware | - | All | All | All |
| Hardware | Netapp | A800 | - | All | All | All |
| Operating System | Netapp | A800 Firmware | - | All | All | All |
| Application | Netapp | Active Iq Unified Manager | All | All | All | All |
| Application | Netapp | Active Iq Unified Manager | All | All | All | All |
| Application | Netapp | Active Iq Unified Manager | - | All | All | All |
| Application | Netapp | Altavault | - | All | All | All |
| Hardware | Netapp | C190 | - | All | All | All |
| Operating System | Netapp | C190 Firmware | - | All | All | All |
| Application | Netapp | Cloud Backup | - | All | All | All |
| Application | Netapp | Clustered Data Ontap Antivirus Connector | - | All | All | All |
| Hardware | Netapp | Cn1610 | - | All | All | All |
| Operating System | Netapp | Cn1610 Firmware | - | All | All | All |
| Application | Netapp | Element Software | - | All | All | All |
| Application | Netapp | Element Software | - | All | All | All |
| Hardware | Netapp | Fas2720 | - | All | All | All |
| Operating System | Netapp | Fas2720 Firmware | - | All | All | All |
| Hardware | Netapp | Fas2750 | - | All | All | All |
| Operating System | Netapp | Fas2750 Firmware | - | All | All | All |
| Hardware | Netapp | Hci Compute Node | - | All | All | All |
| Application | Netapp | Hci Management Node | - | All | All | All |
| Application | Netapp | Hyper Converged Infrastructure | - | All | All | All |
| Application | Netapp | Hyper Converged Infrastructure | - | All | All | All |
| Application | Netapp | Oncommand Insight | - | All | All | All |
| Application | Netapp | Oncommand Unified Manager | - | All | All | All |
| Application | Netapp | Oncommand Unified Manager | - | All | All | All |
| Application | Netapp | Oncommand Unified Manager | - | All | All | All |
| Application | Netapp | Oncommand Unified Manager | - | All | All | All |
| Application | Netapp | Oncommand Unified Manager Core Package | - | All | All | All |
| Application | Netapp | Oncommand Workflow Automation | - | All | All | All |
| Application | Netapp | Oncommand Workflow Automation | - | All | All | All |
| Application | Netapp | Ontap Select Deploy | - | All | All | All |
| Application | Netapp | Ontap Select Deploy | - | All | All | All |
| Application | Netapp | Ontap Select Deploy Administration Utility | - | All | All | All |
| Application | Netapp | Ontap Select Deploy Administration Utility | - | All | All | All |
| Application | Netapp | Santricity Smi-s Provider | - | All | All | All |
| Application | Netapp | Santricity Smi-s Provider | - | All | All | All |
| Application | Netapp | Service Processor | - | All | All | All |
| Application | Netapp | Smi-s Provider | - | All | All | All |
| Application | Netapp | Snapcenter | - | All | All | All |
| Application | Netapp | Snapcenter | - | All | All | All |
| Application | Netapp | Snapdrive | - | All | All | All |
| Application | Netapp | Snapdrive | - | All | All | All |
| Application | Netapp | Snapdrive | - | All | All | All |
| Application | Netapp | Snapprotect | - | All | All | All |
| Application | Netapp | Solidfire | - | All | All | All |
| Application | Netapp | Steelstore Cloud Integrated Storage | - | All | All | All |
| Application | Netapp | Steelstore Cloud Integrated Storage | - | All | All | All |
| Application | Netapp | Storagegrid | - | All | All | All |
| Application | Netapp | Storagegrid | - | All | All | All |
| Application | Netapp | Storagegrid | All | All | All | All |
| Application | Netapp | Storage Automation Store | - | All | All | All |
| Application | Netapp | Storage Automation Store | - | All | All | All |
| Application | Nodejs | Node.js | All | All | All | All |
| Application | Nodejs | Node.js | All | All | All | All |
| Application | Nodejs | Node.js | All | All | All | All |
| Application | Openssl | Openssl | All | All | All | All |
| Application | Openssl | Openssl | All | All | All | All |
| Operating System | Opensuse | Leap | 15.0 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Operating System | Opensuse | Leap | 42.3 | All | All | All |
| Operating System | Opensuse | Leap | 15.0 | All | All | All |
| Operating System | Opensuse | Leap | 42.3 | All | All | All |
| Application | Oracle | Api Gateway | 11.1.2.4.0 | All | All | All |
| Application | Oracle | Business Intelligence | 11.1.1.9.0 | All | All | All |
| Application | Oracle | Business Intelligence | 12.2.1.3.0 | All | All | All |
| Application | Oracle | Business Intelligence | 12.2.1.4.0 | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | 8.0.0 | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | 8.1 | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | 8.2 | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | 8.3 | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | 8.4 | All | All | All |
| Application | Oracle | Communications Performance Intelligence Center | 10.4.0.2 | All | All | All |
| Application | Oracle | Communications Session Border Controller | 7.4 | All | All | All |
| Application | Oracle | Communications Session Border Controller | 8.0.0 | All | All | All |
| Application | Oracle | Communications Session Border Controller | 8.1.0 | All | All | All |
| Application | Oracle | Communications Session Border Controller | 8.2 | All | All | All |
| Application | Oracle | Communications Session Border Controller | 8.3 | All | All | All |
| Application | Oracle | Communications Session Router | 7.4 | All | All | All |
| Application | Oracle | Communications Session Router | 8.0 | All | All | All |
| Application | Oracle | Communications Session Router | 8.1 | All | All | All |
| Application | Oracle | Communications Session Router | 8.2 | All | All | All |
| Application | Oracle | Communications Session Router | 8.3 | All | All | All |
| Application | Oracle | Communications Unified Session Manager | 7.3.5 | All | All | All |
| Application | Oracle | Communications Unified Session Manager | 8.2.5 | All | All | All |
| Application | Oracle | Endeca Server | 7.7.0 | All | All | All |
| Application | Oracle | Enterprise Manager Base Platform | 12.1.0.5.0 | All | All | All |
| Application | Oracle | Enterprise Manager Base Platform | 13.2.0.0.0 | All | All | All |
| Application | Oracle | Enterprise Manager Base Platform | 13.3.0.0.0 | All | All | All |
| Application | Oracle | Enterprise Manager Ops Center | 12.3.3 | All | All | All |
| Application | Oracle | Enterprise Manager Ops Center | 12.4.0 | All | All | All |
| Application | Oracle | Jd Edwards Enterpriseone Tools | 9.2 | All | All | All |
| Application | Oracle | Jd Edwards World Security | a9.3 | All | All | All |
| Application | Oracle | Jd Edwards World Security | a9.3.1 | All | All | All |
| Application | Oracle | Jd Edwards World Security | a9.4 | All | All | All |
| Application | Oracle | Mysql | All | All | All | All |
| Application | Oracle | Mysql | All | All | All | All |
| Application | Oracle | Mysql | All | All | All | All |
| Application | Oracle | Mysql Enterprise Monitor | All | All | All | All |
| Application | Oracle | Mysql Enterprise Monitor | All | All | All | All |
| Application | Oracle | Mysql Workbench | All | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.55 | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.56 | All | All | All |
| Application | Oracle | Peoplesoft Enterprise Peopletools | 8.57 | All | All | All |
| Application | Oracle | Secure Global Desktop | 5.4 | All | All | All |
| Application | Oracle | Services Tools Bundle | 19.2 | All | All | All |
| Operating System | Paloaltonetworks | Pan-os | All | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Desktop | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Server | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux Workstation | 7.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Web Server | 5.0.0 | All | All | All |
| Application | Redhat | Virtualization | 4.0 | All | All | All |
| Application | Redhat | Virtualization Host | 4.0 | All | All | All |
| Application | Tenable | Nessus | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 30 Update: compat-openssl10-1.0.2o-7.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| McAfee Security Bulletin - Multiple McAfee product updates fix OpenSSL vulnerabilities (CVE-2019-1559) | CONFIRM | kc.mcafee.com | |
| [SECURITY] Fedora 31 Update: compat-openssl10-1.0.2o-8.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 30 Update: compat-openssl10-1.0.2o-7.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 29 Update: compat-openssl10-1.0.2o-7.fc29 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| support.f5.com/csp/article/K18549143 | CONFIRM | support.f5.com | Third Party Advisory |
| support.f5.com/csp/article/K18549143 | CONFIRM | support.f5.com | |
| USN-3899-1: OpenSSL vulnerability | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | Third Party Advisory |
| git.openssl.org Git - openssl.git/commitdiff | git.openssl.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| USN-4376-2: OpenSSL vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| OpenSSL: Multiple vulnerabilities (GLSA 201903-10) — Gentoo security | GENTOO | security.gentoo.org | Third Party Advisory |
| [security-announce] openSUSE-SU-2019:1173-1: moderate: Security update f | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| [SECURITY] Fedora 29 Update: compat-openssl10-1.0.2o-7.fc29 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Debian -- Security Information -- DSA-4400-1 openssl1.0 | DEBIAN | www.debian.org | Third Party Advisory |
| OpenSSL CVE-2019-1559 Information Disclosure Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| [security-announce] openSUSE-SU-2019:1175-1: moderate: Security update f | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| [R1] Nessus 8.3.0 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable® | CONFIRM | www.tenable.com | Patch, Third Party Advisory |
| [SECURITY] [DLA 1701-1] openssl security update | MLIST | lists.debian.org | Mailing List, Third Party Advisory |
| Oracle Critical Patch Update - July 2019 | MISC | www.oracle.com | |
| [security-announce] openSUSE-SU-2019:1432-1: moderate: Security update f | SUSE | lists.opensuse.org | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| git.openssl.org Git - openssl.git/commitdiff | CONFIRM | git.openssl.org | Patch, Third Party Advisory |
| [security-announce] openSUSE-SU-2019:1105-1: moderate: Security update f | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| [R1] Nessus Agent 7.4.0 Fixes One Third-party Vulnerability - Security Advisory | Tenable® | CONFIRM | www.tenable.com | |
| [SECURITY] Fedora 31 Update: compat-openssl10-1.0.2o-8.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| CVE-2019-1559 OpenSSL Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Patch, Third Party Advisory |
| April 2019 MySQL Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| myF5 | support.f5.com | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Oracle Critical Patch Update - October 2019 | MISC | www.oracle.com | |
| Oracle Critical Patch Update Advisory - January 2020 | MISC | www.oracle.com | |
| [security-announce] openSUSE-SU-2019:1076-1: moderate: Security update f | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| www.openssl.org/news/secadv/20190226.txt | CONFIRM | www.openssl.org | Vendor Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | |
| [security-announce] openSUSE-SU-2019:1637-1: moderate: Security update f | SUSE | lists.opensuse.org | |
| Oracle Critical Patch Update Advisory - April 2019 | MISC | www.oracle.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Juraj Somorovsky, Robert Merget and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt
Legacy QID Mappings
- 296075 Oracle Solaris 11.4 Support Repository Update (SRU) 21.69.0 Missing (CPUAPR2020)
- 296081 Oracle Solaris 11.4 Support Repository Update (SRU) 12.5.0 Missing (CPUJUL2019)
- 296087 Oracle Solaris 11.4 Support Repository Update (SRU) 8.1.5 Missing (CPUAPR2019)
- 377473 Alibaba Cloud Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ALINUX2-SA-2019:0086)
- 378140 Virtuozzo Linux Security Update for openssl-perl (VZLSA-2019:2471)
- 390226 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2021-0011)
- 390284 Oracle Managed Virtualization (VM) Server for x86 Security Update for Open Secure Sockets Layer (OpenSSL) (OVMSA-2023-0013)