Bug 1683804 (CVE-2019-1559) - CVE-2019-1559 openssl: 0-byte record padding oracle
Summary: CVE-2019-1559 openssl: 0-byte record padding oracle
Status: NEW
Alias: CVE-2019-1559
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=moderate,public=20190226,repor...
Keywords: Security
Depends On: 1683805 1683806 1683808 1683963 1684986 1684987 1712021 1683807 1683962 1709065 1718148
Blocks: 1683809
TreeView+ depends on / blocked
Reported: 2019-02-27 21:01 UTC by Laura Pardo
Modified: 2019-07-08 17:24 UTC (History)
20 users (show)

Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Laura Pardo 2019-02-27 21:01:45 UTC
A vulnerability was found in OpenSSL 1.0.2. When an application encounters a fatal protocol error and then calls SSL_shutdown() twice, OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. This difference in behaviour can be detected by a remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted. This issue does not impact OpenSSL 1.1.1 or 1.1.0.

Upstream bug:

Upstream Patch:

Comment 1 Laura Pardo 2019-02-27 21:02:11 UTC
Created compat-openssl10 tracking bugs for this issue:

Affects: fedora-all [bug 1683808]

Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1683806]
Affects: fedora-all [bug 1683805]

Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1683807]

Comment 2 Huzaifa S. Sidhpurwala 2019-02-28 06:17:25 UTC
Note: https://github.com/RUB-NDS/TLS-Padding-Oracles

Comment 3 Huzaifa S. Sidhpurwala 2019-02-28 08:10:45 UTC
This is essentially a padding oracle flaw, which needs the following conditions for exploitation:

1. Non-stitched cipher suites are used. (https://software.intel.com/en-us/articles/improving-openssl-performance talks about stitching cipher suites)
2. AES-NI is not used.
3. Applications must call SSL_shutdown() twice even if a protocol error has occurred 
4. The attacker must be able to run a script in the victim's browser which sends requests to a vulnerable website. This can be achieved tempting the victim to visit a malicious website. Second, the attacker must be able to modify requests sent by the browser and observe the server behavior. The second prerequisite is much harder to achieve, because the attacker must be an active Man-in-the-Middle.

Comment 4 Huzaifa S. Sidhpurwala 2019-02-28 08:10:53 UTC
External References:


Comment 13 Joshua Padman 2019-05-15 22:48:12 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Web Server 3 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Note You need to log in before you can comment on or make changes to this bug.