{
  "threat_severity" : "Low",
  "public_date" : "2019-09-10T00:00:00Z",
  "bugzilla" : {
    "description" : "openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
    "id" : "1752100",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1752100"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)." ],
  "affected_release" : [ {
    "product_name" : "JBoss Core Services Apache HTTP Server 2.4.37 SP2",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1336",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1",
    "package" : "openssl"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-apr-0:1.6.3-86.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-apr-0:1.6.3-86.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2020-04-06T00:00:00Z",
    "advisory" : "RHSA-2020:1337",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-04-28T00:00:00Z",
    "advisory" : "RHSA-2020:1840",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "openssl-1:1.1.1c-15.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "compat-openssl10",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "mingw-openssl",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Out of support scope",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5",
    "fix_state" : "Not affected",
    "package_name" : "openssl",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-1563\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1563" ],
  "name" : "CVE-2019-1563",
  "mitigation" : {
    "value" : "This attack is carried out by sending a large number of messages to be decrypted by the victim. The attacker needs to receive a response from the victim if the decryption was successful or not. Therefore only if the user application compiled with openssl is designed above way, the attack will be viable.\nOnly CMS_decrypt and PKCS7_decrypt functions are affected. Applications compiled with openssl are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt.",
    "lang" : "en:us"
  },
  "csaw" : false
}