{ "threat_severity" : "Moderate", "public_date" : "2019-02-26T00:00:00Z", "bugzilla" : { "description" : "openssl: 0-byte record padding oracle", "id" : "1683804", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1683804" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-325", "details" : [ "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)." ], "statement" : "1 For this issue to be exploitable, the (server) application using the OpenSSL library needs to use it incorrectly.\n2. There are multiple other requirements for the attack to succeed: \n- The ciphersuite used must be obsolete CBC cipher without a stitched implementation (or the system be in FIPS mode)\n- the attacker has to be a MITM\n- the attacker has to be able to control the client side to send requests to the buggy server on demand", "affected_release" : [ { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-34/ansible-tower-memcached:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-35/ansible-tower-memcached:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2019-08-13T00:00:00Z", "advisory" : "RHSA-2019:2471", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "openssl-0:1.0.1e-58.el6_10" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-08-06T00:00:00Z", "advisory" : "RHSA-2019:2304", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "openssl-1:1.0.2k-19.el7" }, { "product_name" : "Red Hat JBoss Web Server 5", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3931", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2", "package" : "openssl" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-08-12T00:00:00Z", "advisory" : "RHSA-2019:2437", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "imgbased-0:1.1.9-0.1.el7ev" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-08-12T00:00:00Z", "advisory" : "RHSA-2019:2437", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "ovirt-node-ng-0:4.3.5-0.20190717.0.el7ev" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-08-12T00:00:00Z", "advisory" : "RHSA-2019:2437", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "redhat-release-virtualization-host-0:4.3.5-2.el7ev" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-08-12T00:00:00Z", "advisory" : "RHSA-2019:2437", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "redhat-virtualization-host-0:4.3.5-20190722.0.el7_7" }, { "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7", "release_date" : "2019-08-12T00:00:00Z", "advisory" : "RHSA-2019:2439", "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor", "package" : "rhvm-appliance-0:4.3-20190722.0.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "openssl097a", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "openssl098e", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "openssl098e", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "OVMF", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "compat-openssl10", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss Core Services", "fix_state" : "Affected", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_core_services:1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Will not fix", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Will not fix", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Out of support scope", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-1559\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1559\nhttps://github.com/RUB-NDS/TLS-Padding-Oracles\nhttps://www.openssl.org/news/secadv/20190226.txt" ], "name" : "CVE-2019-1559", "mitigation" : { "value" : "As a workaround you can disable SHA384 if applications (compiled with OpenSSL) allow for adjustment of the ciphersuite string configuration.", "lang" : "en:us" }, "csaw" : false }