CVE-2019-1559

NameCVE-2019-1559
DescriptionIf an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1701-1, DSA-4400-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)jessie1.0.1t-1+deb8u8vulnerable
jessie (security)1.0.1t-1+deb8u11fixed
stretch (security), stretch1.1.0j-1~deb9u1fixed
buster, sid1.1.1c-1fixed
openssl1.0 (PTS)stretch (security), stretch1.0.2r-1~deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsource(unstable)1.1.0b-2medium
opensslsourcejessie1.0.1t-1+deb8u11mediumDLA-1701-1
openssl1.0source(unstable)(unfixed)medium
openssl1.0sourcestretch1.0.2r-1~deb9u1mediumDSA-4400-1

Notes

OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=48c8bcf5bca0ce7751f49599381e143de1b61786
OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=5741d5bb74797e4532acc9f42e54c44a2726c179 (only hardening)
1.1.0 is not impacted by CVE-2019-1559. The CVE is a result of applications
calling SSL_shutdown after a fatal alert has occurred. 1.1.0 is not vulnerable
to this issue, marking first 1.1 upload of src:openssl as fixed
https://www.openssl.org/news/secadv/20190226.txt

Search for package or bug name: Reporting problems