Bug 1752100 (CVE-2019-1563)
| Summary: | CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | apmukher, asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, cdewolf, cfergeau, chazlett, cperry, csutherl, darran.lofthouse, dkreling, dosoudil, erik-fedora, fidencio, fjuma, gzaronik, hasuzuki, istudens, ivassile, iweiss, jawilson, jclere, jorton, jperkins, krathod, ktietz, kwills, lgao, lmorse, marcandre.lureau, mbabacek, mkenjale, mosmerov, msochure, msvehla, mturk, myarboro, nwallace, pesilva, pjindal, plodge, pmackay, psotirop, rguimara, rh-spice-bugs, rjones, rstancel, rsvoboda, smaestri, szappis, tmraz, tom.jenkinson, twalsh, weli, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-06 22:32:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1752101, 1752102, 1752103, 1752338, 1752339, 1752340, 1752341 | ||
| Bug Blocks: | 1752105 | ||
|
Description
Dhananjay Arunesh
2019-09-13 17:14:07 UTC
Created mingw-openssl tracking bugs for this issue: Affects: epel-7 [bug 1752101] Affects: fedora-all [bug 1752103] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1752102] This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Enterprise Web Server 2 * Red Hat JBoss Web Server 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This keeps coming up with our services teams needing the fixed versions of OpenSSL. There are several CVEs that are involved ... CVE-2019-1547 - Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). CVE-2019-1549 - Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). CVE-2019-1551 - Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t). CVE-2019-1563 - Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). Our images installed with OpenSSL show the following ... Based on registry.access.redhat.com/ubi7/ubi-minimal - Need OpenSSL 1.0.2t or 1.0.2u-dev in ubi-7/x86_64 Red Hat Universal Base Image 7 Server (RPMs) [root@4c866ac08b81 /]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 Based on registry.access.redhat.com/ubi8/ubi-minimal - Need OpenSSL 1.1.1d or 1.1.1e-dev in ubi-8-baseos Red Hat Universal Base Image 8 (RPMs) - BaseOS [root@6ad506124398 /]# openssl version OpenSSL 1.1.1c FIPS 28 May 2019 Having these upgrades will solve a lot of these issues for us. When can we expect the OpenSSL packages upgraded? There are many teams needing to use these images and are reporting these vulnerabilities. They require the upgraded images. When can we expect the OpenSSL packages upgraded? Mitigation: This attack is carried out by sending a large number of messages to be decrypted by the victim. The attacker needs to receive a response from the victim if the decryption was successful or not. Therefore only if the user application compiled with openssl is designed above way, the attack will be viable. Only CMS_decrypt and PKCS7_decrypt functions are affected. Applications compiled with openssl are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Our teams are dependent on the upgraded version of openssl to pass vulnerability scans for our products. We cannot workaround this. When can we expect the OpenSSL packages upgraded in UBI8? (In reply to Laurie Morse from comment #11) > Our teams are dependent on the upgraded version of openssl to pass > vulnerability scans for our products. We cannot workaround this. When can we > expect the OpenSSL packages upgraded in UBI8? Hi - can you please open a support ticket for this inquiry. Our UBI images are updated automatically - after a general RHSA (Security Errata) has been released into the RHEL channel as RPM content. Regards, Cliff I have opened Case 02620079 - UBI8: ubi8/ubi-minimal missing critical update for OpenSSL CVEs ... https://access.redhat.com/support/cases/#/case/02620079 This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP2 Via RHSA-2020:1336 https://access.redhat.com/errata/RHSA-2020:1336 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 JBoss Core Services on RHEL 7 Via RHSA-2020:1337 https://access.redhat.com/errata/RHSA-2020:1337 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1563 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1840 https://access.redhat.com/errata/RHSA-2020:1840 FEDORA-EPEL-2020-ff94ccbdec has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report. |