Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-1559

Disclosure Date: February 26, 2019
CVE-2019-1559 CVSS v3 Base Score: 5.9
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable “non-stitched” ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
5.9 Medium
Impact Score:
3.6
Exploitability Score:
2.2
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
High
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
OpenSSL Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • canonical,
  • debian,
  • f5,
  • fedoraproject,
  • mcafee,
  • netapp,
  • nodejs,
  • openssl,
  • opensuse,
  • oracle,
  • paloaltonetworks,
  • redhat,
  • tenable

Products

  • a220 firmware -,
  • a320 firmware -,
  • a800 firmware -,
  • active iq unified manager,
  • active iq unified manager -,
  • agent,
  • altavault -,
  • api gateway 11.1.2.4.0,
  • big-ip access policy manager,
  • big-ip advanced firewall manager,
  • big-ip analytics,
  • big-ip application acceleration manager,
  • big-ip application security manager,
  • big-ip domain name system,
  • big-ip edge gateway,
  • big-ip fraud protection service,
  • big-ip global traffic manager,
  • big-ip link controller,
  • big-ip local traffic manager,
  • big-ip policy enforcement manager,
  • big-ip webaccelerator,
  • big-iq centralized management,
  • business intelligence 11.1.1.9.0,
  • business intelligence 12.2.1.3.0,
  • business intelligence 12.2.1.4.0,
  • c190 firmware -,
  • cloud backup -,
  • clustered data ontap antivirus connector -,
  • cn1610 firmware -,
  • communications diameter signaling router 8.0.0,
  • communications diameter signaling router 8.1,
  • communications diameter signaling router 8.2,
  • communications diameter signaling router 8.3,
  • communications diameter signaling router 8.4,
  • communications performance intelligence center 10.4.0.2,
  • communications session border controller 7.4,
  • communications session border controller 8.0.0,
  • communications session border controller 8.1.0,
  • communications session border controller 8.2,
  • communications session border controller 8.3,
  • communications session router 7.4,
  • communications session router 8.0,
  • communications session router 8.1,
  • communications session router 8.2,
  • communications session router 8.3,
  • communications unified session manager 7.3.5,
  • communications unified session manager 8.2.5,
  • data exchange layer,
  • debian linux 8.0,
  • debian linux 9.0,
  • element software -,
  • endeca server 7.7.0,
  • enterprise linux desktop 6.0,
  • enterprise linux desktop 7.0,
  • enterprise linux server 6.0,
  • enterprise linux server 7.0,
  • enterprise linux workstation 6.0,
  • enterprise linux workstation 7.0,
  • enterprise manager base platform 12.1.0.5.0,
  • enterprise manager base platform 13.2.0.0.0,
  • enterprise manager base platform 13.3.0.0.0,
  • enterprise manager ops center 12.3.3,
  • enterprise manager ops center 12.4.0,
  • fas2720 firmware -,
  • fas2750 firmware -,
  • fedora 29,
  • fedora 30,
  • fedora 31,
  • hci compute node -,
  • hci management node -,
  • hyper converged infrastructure -,
  • jboss enterprise web server 5.0.0,
  • jd edwards enterpriseone tools 9.2,
  • jd edwards world security a9.3,
  • jd edwards world security a9.3.1,
  • jd edwards world security a9.4,
  • leap 15.0,
  • leap 15.1,
  • leap 42.3,
  • mysql,
  • mysql enterprise monitor,
  • mysql workbench,
  • nessus,
  • node.js,
  • oncommand insight -,
  • oncommand unified manager -,
  • oncommand unified manager core package -,
  • oncommand workflow automation -,
  • ontap select deploy -,
  • ontap select deploy administration utility -,
  • openssl,
  • pan-os,
  • peoplesoft enterprise peopletools 8.55,
  • peoplesoft enterprise peopletools 8.56,
  • peoplesoft enterprise peopletools 8.57,
  • santricity smi-s provider -,
  • secure global desktop 5.4,
  • service processor -,
  • services tools bundle 19.2,
  • smi-s provider -,
  • snapcenter -,
  • snapdrive -,
  • snapprotect -,
  • solidfire -,
  • steelstore cloud integrated storage -,
  • storage automation store -,
  • storagegrid,
  • storagegrid -,
  • threat intelligence exchange server,
  • traffix signaling delivery controller,
  • traffix signaling delivery controller 4.4.0,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 18.10,
  • virtualization 4.0,
  • virtualization host 4.0,
  • web gateway

References

Canonical
CVE-2019-1559 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559)
BID-107174 (http://www.securityfocus.com/bid/107174)
Advisory
https://security.netapp.com/advisory/ntap-20190301-0001
https://security.netapp.com/advisory/ntap-20190301-0002
GLSA-201903-10 (https://security.gentoo.org/glsa/201903-10)
https://git.openssl.org/gitweb?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
USN-3899-1 (https://usn.ubuntu.com/3899-1)
[debian-lts-announce] 20190301 [SECURITY] [DLA 1701-1] openssl security update (https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html)
https://www.openssl.org/news/secadv/20190226.txt
DSA-4400 (https://www.debian.org/security/2019/dsa-4400)
https://support.f5.com/csp/article/K18549143
https://www.tenable.com/security/tns-2019-02
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html
https://security.netapp.com/advisory/ntap-20190423-0002
https://www.tenable.com/security/tns-2019-03
https://kc.mcafee.com/corporate/index?page=content&id=SB10282
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html
https://access.redhat.com/errata/RHSA-2019:2304
https://access.redhat.com/errata/RHSA-2019:2439
https://access.redhat.com/errata/RHSA-2019:2437
https://access.redhat.com/errata/RHSA-2019:2471
FEDORA-2019-db06efdea1 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM)
FEDORA-2019-00c25b9379 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V)
FEDORA-2019-9a0a7c0986 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z)
https://support.f5.com/csp/article/K18549143?utm_source=f5support&utm_medium=RSS
https://access.redhat.com/errata/RHSA-2019:3929
https://access.redhat.com/errata/RHSA-2019:3931
USN-4376-2 (https://usn.ubuntu.com/4376-2)
USN-3899-1 (https://usn.ubuntu.com/3899-1/)
FEDORA-2019-db06efdea1 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/)
FEDORA-2019-00c25b9379 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/)
FEDORA-2019-9a0a7c0986 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/)
USN-4376-2 (https://usn.ubuntu.com/4376-2/)
https://security.netapp.com/advisory/ntap-20190301-0001/
https://security.netapp.com/advisory/ntap-20190301-0002/
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
https://security.netapp.com/advisory/ntap-20190423-0002/
Miscellaneous
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujan2021.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis