CVE-2019-1563

Summary

CVE	CVE-2019-1563
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-09-10 17:15:00 UTC
Updated	2023-11-07 03:08:00 UTC
Description	In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Risk And Classification

Problem Types: CWE-327 | CWE-203

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Openssl	Openssl	All	All	All	All
Application	Openssl	Openssl	All	All	All	All
Application	Openssl	Openssl	All	All	All	All

References

Reference	Source	Link	Tags
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org	Mailing List, Patch, Vendor Advisory
Debian -- Security Information -- DSA-4539-1 openssl	DEBIAN	www.debian.org
[SECURITY] Fedora 30 Update: openssl-1.1.1d-1.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
git.openssl.org Git - openssl.git/commitdiff		git.openssl.org
Oracle Critical Patch Update Advisory - July 2020	MISC	www.oracle.com
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org	Mailing List, Patch, Vendor Advisory
[security-announce] openSUSE-SU-2019:2268-1: moderate: Security update f	SUSE	lists.opensuse.org
[R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
USN-4376-2: OpenSSL vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com
OpenSSL: Multiple vulnerabilities (GLSA 201911-04) — Gentoo security	GENTOO	security.gentoo.org
[SECURITY] [DLA 1932-1] openssl security update	MLIST	lists.debian.org
USN-4376-1: OpenSSL vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
Security Bulletin - Policy Auditor update fixes multiple vulnerabilities in third-party libraries (CVE-2016-0718, CVE-2016-4472, CVE-2016-5300, CVE-2017-17740, CVE-2017-9287, CVE-2019-13057, CVE-2020-15719, CVE-2019-1543, CVE-2019-1547, CVE-2019-1552, CVE-2019-1563, CVE-2019-8457, CVE-2018-20506, CVE-2018-20346, CVE-2019-16168, CVE-2017-12627)	CONFIRM	kc.mcafee.com
[security-announce] openSUSE-SU-2019:2158-1: moderate: Security update f	SUSE	lists.opensuse.org
www.openssl.org/news/secadv/20190910.txt	CONFIRM	www.openssl.org	Vendor Advisory
support.f5.com/csp/article/K97324400	CONFIRM	support.f5.com
[SECURITY] Fedora 29 Update: openssl-1.1.1d-1.fc29 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
September 2019 OpenSSL Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
git.openssl.org Git - openssl.git/commitdiff		git.openssl.org
[security-announce] openSUSE-SU-2019:2189-1: moderate: Security update f	SUSE	lists.opensuse.org
Bugtraq: [SECURITY] [DSA 4539-1] openssl security update	BUGTRAQ	seclists.org
Debian -- Security Information -- DSA-4540-1 openssl1.0	DEBIAN	www.debian.org
git.openssl.org Git - openssl.git/commitdiff		git.openssl.org
Slackware Security Advisory - openssl Updates ≈ Packet Storm	MISC	packetstormsecurity.com
[security-announce] openSUSE-SU-2019:2269-1: moderate: Security update f	SUSE	lists.opensuse.org
Bugtraq: [slackware-security] openssl (SSA:2019-254-03)	BUGTRAQ	seclists.org
Bugtraq: [SECURITY] [DSA 4540-1] openssl1.0 security update	BUGTRAQ	seclists.org
git.openssl.org Git - openssl.git/commitdiff	CONFIRM	git.openssl.org	Mailing List, Patch, Vendor Advisory
[SECURITY] Fedora 30 Update: openssl-1.1.1d-1.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Oracle Critical Patch Update - October 2019	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - January 2020	MISC	www.oracle.com
Oracle Critical Patch Update Advisory - April 2020	N/A	www.oracle.com
USN-4504-1: OpenSSL vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
myF5		support.f5.com
[SECURITY] Fedora 29 Update: openssl-1.1.1d-1.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Bernd Edlinger

Legacy QID Mappings

296078 Oracle Solaris 11.4 Support Repository Update (SRU) 16.4.0 Missing (CPUOCT2019)
375626 IBM Cognos Analytics Multiple Vulnerabilities (6451705)
377105 Alibaba Cloud Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ALINUX3-SA-2022:0025)
38842 Open Secure Sockets Layer (OpenSSL) Security Update (OpenSSL Security Advisory 20190910)
500493 Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)
500561 Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)
500760 Alpine Linux Security Update for openssl
501160 Alpine Linux Security Update for openssl
501979 Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)
502898 Alpine Linux Security Update for openssl1.1-compat
504252 Alpine Linux Security Update for openssl
670784 EulerOS Security Update for shim (EulerOS-SA-2021-2542)
670808 EulerOS Security Update for shim (EulerOS-SA-2021-2566)
710119 Gentoo Linux Open Secure Sockets Layer Multiple Vulnerabilities (GLSA 201911-04)