Vulnerability DatabaseCVE-2019-1563
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2019-1563
September 10, 2019
In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Related ResourcesĀ (31)
https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
https://www.debian.org/security/2019/dsa-4539
https://usn.ubuntu.com/4376-2/
https://www.oracle.com/security-alerts/cpuapr2020.html
https://seclists.org/bugtraq/2019/Oct/0
https://seclists.org/bugtraq/2019/Sep/25
https://security.netapp.com/advisory/ntap-20190919-0002/
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
https://www.openssl.org/news/secadv/20190910.txt
https://usn.ubuntu.com/4504-1/
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS
https://www.oracle.com/security-alerts/cpujul2020.html
http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
https://access.redhat.com/security/cve/CVE-2019-1563
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
https://security.gentoo.org/glsa/201911-04
https://www.tenable.com/security/tns-2019-09
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97
https://usn.ubuntu.com/4376-1/
https://seclists.org/bugtraq/2019/Oct/1
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.debian.org/security/2019/dsa-4540
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64
https://www.oracle.com/security-alerts/cpujan2020.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
4.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Use of a Broken or Risky Cryptographic Algorithm
CWE-327
Observable Discrepancy
CWE-203
EPSS
Base Score:
1.28