CVE-2019-1559

Published: 26 February 2019

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
nodejs
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(uses system openssl1.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(uses system openssl1.0)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(uses system openssl)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(uses system openssl)
openssl
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(1.1.1a-1ubuntu2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.1.0g-2ubuntu4.3)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1.0.2g-1ubuntu4.15)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (1.0.1f-1ubuntu2.27+esm1)
Patches:
Upstream: https://github.com/openssl/openssl/commit/e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
openssl098
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was needs-triage)
openssl1.0
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver)
Released (1.0.2n-1ubuntu5.3)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
mdeslaur
doesn't affect 1.1.x

this fix is a workaround for applications that call
SSL_shutdown() twice even if a protocol error has occurred

upstream fix uses error handling mechanism introduced in 1.0.2,
which isn't available in 1.0.1f. While we are unlikely to fix
this issue in Ubuntu 14.04 LTS, marking as deferred for now
in case the vulnerable applications are identified.

References