Your submission was sent successfully! Close

CVE-2019-1563

Published: 10 September 2019

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Priority

Low

CVSS 3 base score: 3.7

Status

Package Release Status
edk2
Launchpad, Ubuntu, Debian
bionic Needed

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(0~20191122.bd85bf54-2)
groovy Not vulnerable
(0~20191122.bd85bf54-2)
hirsute Not vulnerable
(0~20191122.bd85bf54-2)
impish Not vulnerable
(0~20191122.bd85bf54-2)
jammy Not vulnerable
(0~20191122.bd85bf54-2)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
nodejs
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(uses system openssl1.0)
disco Not vulnerable
(uses system openssl1.1)
eoan Not vulnerable
(uses system openssl1.1)
focal Not vulnerable
(uses system openssl1.1)
groovy Not vulnerable
(uses system openssl1.1)
hirsute Not vulnerable
(uses system openssl1.1)
impish Not vulnerable
(uses system openssl1.1)
jammy Not vulnerable
(uses system openssl1.1)
precise Does not exist

trusty Not vulnerable
(uses system openssl)
upstream Needs triage

xenial Not vulnerable
(uses system openssl)
openssl
Launchpad, Ubuntu, Debian
bionic
Released (1.1.1-1ubuntu2.1~18.04.6)
disco Ignored
(reached end-of-life)
eoan
Released (1.1.1c-1ubuntu4.1)
focal
Released (1.1.1d-2ubuntu1)
groovy
Released (1.1.1d-2ubuntu1)
hirsute
Released (1.1.1d-2ubuntu1)
impish
Released (1.1.1d-2ubuntu1)
jammy
Released (1.1.1d-2ubuntu1)
precise
Released (1.0.1-4ubuntu5.44)
trusty
Released (1.0.1f-1ubuntu2.27+esm1)
upstream
Released (1.1.1d)
xenial
Released (1.0.2g-1ubuntu4.16)
openssl1.0
Launchpad, Ubuntu, Debian
bionic
Released (1.0.2n-1ubuntu5.4)
disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist