Attacker Value
Unknown
CVE-2019-1559
CVE-2019-1559
(Last updated November 08, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable “non-stitched” ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None
General Information
Vendors
Products
- a220 firmware -,
- a320 firmware -,
- a800 firmware -,
- active iq unified manager,
- active iq unified manager -,
- agent,
- altavault -,
- api gateway 11.1.2.4.0,
- big-ip access policy manager,
- big-ip advanced firewall manager,
- big-ip analytics,
- big-ip application acceleration manager,
- big-ip application security manager,
- big-ip domain name system,
- big-ip edge gateway,
- big-ip fraud protection service,
- big-ip global traffic manager,
- big-ip link controller,
- big-ip local traffic manager,
- big-ip policy enforcement manager,
- big-ip webaccelerator,
- big-iq centralized management,
- business intelligence 11.1.1.9.0,
- business intelligence 12.2.1.3.0,
- business intelligence 12.2.1.4.0,
- c190 firmware -,
- cloud backup -,
- clustered data ontap antivirus connector -,
- cn1610 firmware -,
- communications diameter signaling router 8.0.0,
- communications diameter signaling router 8.1,
- communications diameter signaling router 8.2,
- communications diameter signaling router 8.3,
- communications diameter signaling router 8.4,
- communications performance intelligence center 10.4.0.2,
- communications session border controller 7.4,
- communications session border controller 8.0.0,
- communications session border controller 8.1.0,
- communications session border controller 8.2,
- communications session border controller 8.3,
- communications session router 7.4,
- communications session router 8.0,
- communications session router 8.1,
- communications session router 8.2,
- communications session router 8.3,
- communications unified session manager 7.3.5,
- communications unified session manager 8.2.5,
- data exchange layer,
- debian linux 8.0,
- debian linux 9.0,
- element software -,
- endeca server 7.7.0,
- enterprise linux desktop 6.0,
- enterprise linux desktop 7.0,
- enterprise linux server 6.0,
- enterprise linux server 7.0,
- enterprise linux workstation 6.0,
- enterprise linux workstation 7.0,
- enterprise manager base platform 12.1.0.5.0,
- enterprise manager base platform 13.2.0.0.0,
- enterprise manager base platform 13.3.0.0.0,
- enterprise manager ops center 12.3.3,
- enterprise manager ops center 12.4.0,
- fas2720 firmware -,
- fas2750 firmware -,
- fedora 29,
- fedora 30,
- fedora 31,
- hci compute node -,
- hci management node -,
- hyper converged infrastructure -,
- jboss enterprise web server 5.0.0,
- jd edwards enterpriseone tools 9.2,
- jd edwards world security a9.3,
- jd edwards world security a9.3.1,
- jd edwards world security a9.4,
- leap 15.0,
- leap 15.1,
- leap 42.3,
- mysql,
- mysql enterprise monitor,
- mysql workbench,
- nessus,
- node.js,
- oncommand insight -,
- oncommand unified manager -,
- oncommand unified manager core package -,
- oncommand workflow automation -,
- ontap select deploy -,
- ontap select deploy administration utility -,
- openssl,
- pan-os,
- peoplesoft enterprise peopletools 8.55,
- peoplesoft enterprise peopletools 8.56,
- peoplesoft enterprise peopletools 8.57,
- santricity smi-s provider -,
- secure global desktop 5.4,
- service processor -,
- services tools bundle 19.2,
- smi-s provider -,
- snapcenter -,
- snapdrive -,
- snapprotect -,
- solidfire -,
- steelstore cloud integrated storage -,
- storage automation store -,
- storagegrid,
- storagegrid -,
- threat intelligence exchange server,
- traffix signaling delivery controller,
- traffix signaling delivery controller 4.4.0,
- ubuntu linux 16.04,
- ubuntu linux 18.04,
- ubuntu linux 18.10,
- virtualization 4.0,
- virtualization host 4.0,
- web gateway
References
Miscellaneous
