DescriptionIn situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1932-1, DSA-4539-1, DSA-4540-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)stretch (security), stretch1.1.0l-1~deb9u1fixed
buster, buster (security)1.1.1d-0+deb10u3fixed
bullseye, sid1.1.1g-1fixed
openssl1.0 (PTS)stretch (security), stretch1.0.2u-1~deb9u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Notes;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64 (OpenSSL_1_1_1d);a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97 (OpenSSL_1_1_0l);a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f (OpenSSL_1_0_2t)

Search for package or bug name: Reporting problems