A vulnerability was found in OpenSSL 1.0.2. When an application encounters a fatal protocol error and then calls SSL_shutdown() twice, OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. This difference in behaviour can be detected by a remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted. This issue does not impact OpenSSL 1.1.1 or 1.1.0. Upstream bug: https://www.openssl.org/news/secadv/20190226.txt Upstream Patch: https://github.com/openssl/openssl/commit/e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
Created compat-openssl10 tracking bugs for this issue: Affects: fedora-all [bug 1683808] Created mingw-openssl tracking bugs for this issue: Affects: epel-7 [bug 1683806] Affects: fedora-all [bug 1683805] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1683807]
Note: https://github.com/RUB-NDS/TLS-Padding-Oracles
This is essentially a padding oracle flaw, which needs the following conditions for exploitation: 1. Non-stitched cipher suites are used. (https://software.intel.com/en-us/articles/improving-openssl-performance talks about stitching cipher suites) 2. AES-NI is not used. 3. Applications must call SSL_shutdown() twice even if a protocol error has occurred 4. The attacker must be able to run a script in the victim's browser which sends requests to a vulnerable website. This can be achieved tempting the victim to visit a malicious website. Second, the attacker must be able to modify requests sent by the browser and observe the server behavior. The second prerequisite is much harder to achieve, because the attacker must be an active Man-in-the-Middle.
External References: https://www.openssl.org/news/secadv/20190226.txt https://github.com/RUB-NDS/TLS-Padding-Oracles
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Web Server 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2304 https://access.redhat.com/errata/RHSA-2019:2304
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1559
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:2437 https://access.redhat.com/errata/RHSA-2019:2437
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:2439 https://access.redhat.com/errata/RHSA-2019:2439
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:2471 https://access.redhat.com/errata/RHSA-2019:2471
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2019:3931 https://access.redhat.com/errata/RHSA-2019:3931
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.2 on RHEL 7 Red Hat JBoss Web Server 5.2 on RHEL 6 Red Hat JBoss Web Server 5.2 on RHEL 8 Via RHSA-2019:3929 https://access.redhat.com/errata/RHSA-2019:3929
Statement: 1 For this issue to be exploitable, the (server) application using the OpenSSL library needs to use it incorrectly. 2. There are multiple other requirements for the attack to succeed: - The ciphersuite used must be obsolete CBC cipher without a stitched implementation (or the system be in FIPS mode) - the attacker has to be a MITM - the attacker has to be able to control the client side to send requests to the buggy server on demand
Mitigation: As a workaround you can disable SHA384 if applications (compiled with OpenSSL) allow for adjustment of the ciphersuite string configuration.