Your submission was sent successfully! Close

CVE-2019-1559

Published: 26 February 2019

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Notes

AuthorNote
mdeslaur
doesn't affect 1.1.x

this fix is a workaround for applications that call
SSL_shutdown() twice even if a protocol error has occurred

upstream fix uses error handling mechanism introduced in 1.0.2,
which isn't available in 1.0.1f. While we are unlikely to fix
this issue in Ubuntu 14.04 LTS, marking as deferred for now
in case the vulnerable applications are identified.
Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
nodejs
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system openssl1.0)
cosmic Not vulnerable
(uses system openssl1.0)
disco Not vulnerable
(uses system openssl1.1)
eoan Not vulnerable
(uses system openssl1.1)
focal Not vulnerable
(uses system openssl1.1)
precise Does not exist

trusty Not vulnerable
(uses system openssl)
upstream Needs triage

xenial Not vulnerable
(uses system openssl)
openssl
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(1.1.0g-2ubuntu4.3)
cosmic Not vulnerable
(1.1.1-1ubuntu2.1)
disco Not vulnerable
(1.1.1a-1ubuntu2)
eoan Not vulnerable
(1.1.1a-1ubuntu2)
focal Not vulnerable
(1.1.1a-1ubuntu2)
precise
Released (1.0.1-4ubuntu5.44)
trusty
Released (1.0.1f-1ubuntu2.27+esm1)
upstream Needs triage

xenial
Released (1.0.2g-1ubuntu4.15)
Patches:
upstream: https://github.com/openssl/openssl/commit/e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
openssl098
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist
(trusty was needs-triage)
upstream Needs triage

xenial Does not exist

openssl1.0
Launchpad, Ubuntu, Debian
bionic
Released (1.0.2n-1ubuntu5.3)
cosmic
Released (1.0.2n-1ubuntu6.2)
disco Does not exist

eoan Does not exist

focal Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist