{"containers":{"cna":{"affected":[{"product":"OpenSSL","vendor":"OpenSSL","versions":[{"status":"affected","version":"Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)"},{"status":"affected","version":"Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)"},{"status":"affected","version":"Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)"}]}],"credits":[{"lang":"en","value":"Bernd Edlinger"}],"datePublic":"2019-09-10T00:00:00.000Z","descriptions":[{"lang":"en","value":"In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."}],"metrics":[{"other":{"content":{"lang":"eng","url":"https://www.openssl.org/policies/secpolicy.html#Low","value":"Low"},"type":"unknown"}}],"problemTypes":[{"descriptions":[{"description":"Padding Oracle","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2021-07-31T07:06:42.000Z","orgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","shortName":"openssl"},"references":[{"name":"20190912 [slackware-security] openssl (SSA:2019-254-03)","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"https://seclists.org/bugtraq/2019/Sep/25"},{"name":"openSUSE-SU-2019:2158","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"},{"name":"FEDORA-2019-d15aac6c4e","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"},{"name":"openSUSE-SU-2019:2189","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"},{"name":"[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"},{"name":"FEDORA-2019-d51641f152","tags":["vendor-advisory","x_refsource_FEDORA"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"},{"name":"20191001 [SECURITY] [DSA 4539-1] openssl security update","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"https://seclists.org/bugtraq/2019/Oct/1"},{"name":"20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"https://seclists.org/bugtraq/2019/Oct/0"},{"name":"DSA-4539","tags":["vendor-advisory","x_refsource_DEBIAN"],"url":"https://www.debian.org/security/2019/dsa-4539"},{"name":"DSA-4540","tags":["vendor-advisory","x_refsource_DEBIAN"],"url":"https://www.debian.org/security/2019/dsa-4540"},{"name":"openSUSE-SU-2019:2268","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"},{"name":"openSUSE-SU-2019:2269","tags":["vendor-advisory","x_refsource_SUSE"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"},{"name":"GLSA-201911-04","tags":["vendor-advisory","x_refsource_GENTOO"],"url":"https://security.gentoo.org/glsa/201911-04"},{"name":"USN-4376-1","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/4376-1/"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://www.openssl.org/news/secadv/20190910.txt"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://security.netapp.com/advisory/ntap-20190919-0002/"},{"tags":["x_refsource_CONFIRM"],"url":"https://www.tenable.com/security/tns-2019-09"},{"tags":["x_refsource_CONFIRM"],"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64"},{"tags":["x_refsource_CONFIRM"],"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97"},{"tags":["x_refsource_CONFIRM"],"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"},{"tags":["x_refsource_CONFIRM"],"url":"https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS"},{"name":"USN-4376-2","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/4376-2/"},{"name":"USN-4504-1","tags":["vendor-advisory","x_refsource_UBUNTU"],"url":"https://usn.ubuntu.com/4504-1/"},{"tags":["x_refsource_MISC"],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"tags":["x_refsource_CONFIRM"],"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}],"title":"Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey","x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"openssl-security@openssl.org","DATE_PUBLIC":"2019-09-10","ID":"CVE-2019-1563","STATE":"PUBLIC","TITLE":"Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"OpenSSL","version":{"version_data":[{"version_value":"Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)"},{"version_value":"Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)"},{"version_value":"Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)"}]}}]},"vendor_name":"OpenSSL"}]}},"credit":[{"lang":"eng","value":"Bernd Edlinger"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."}]},"impact":[{"lang":"eng","url":"https://www.openssl.org/policies/secpolicy.html#Low","value":"Low"}],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Padding Oracle"}]}]},"references":{"reference_data":[{"name":"20190912 [slackware-security] openssl (SSA:2019-254-03)","refsource":"BUGTRAQ","url":"https://seclists.org/bugtraq/2019/Sep/25"},{"name":"openSUSE-SU-2019:2158","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"},{"name":"FEDORA-2019-d15aac6c4e","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"},{"name":"openSUSE-SU-2019:2189","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"},{"name":"[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update","refsource":"MLIST","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"},{"name":"FEDORA-2019-d51641f152","refsource":"FEDORA","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"},{"name":"20191001 [SECURITY] [DSA 4539-1] openssl security update","refsource":"BUGTRAQ","url":"https://seclists.org/bugtraq/2019/Oct/1"},{"name":"20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update","refsource":"BUGTRAQ","url":"https://seclists.org/bugtraq/2019/Oct/0"},{"name":"DSA-4539","refsource":"DEBIAN","url":"https://www.debian.org/security/2019/dsa-4539"},{"name":"DSA-4540","refsource":"DEBIAN","url":"https://www.debian.org/security/2019/dsa-4540"},{"name":"openSUSE-SU-2019:2268","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"},{"name":"openSUSE-SU-2019:2269","refsource":"SUSE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"},{"name":"GLSA-201911-04","refsource":"GENTOO","url":"https://security.gentoo.org/glsa/201911-04"},{"name":"USN-4376-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/4376-1/"},{"name":"https://www.oracle.com/security-alerts/cpuapr2020.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"name":"https://www.oracle.com/security-alerts/cpujul2020.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"name":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","refsource":"MISC","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"name":"https://www.oracle.com/security-alerts/cpujan2020.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"name":"https://www.openssl.org/news/secadv/20190910.txt","refsource":"CONFIRM","url":"https://www.openssl.org/news/secadv/20190910.txt"},{"name":"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"},{"name":"https://security.netapp.com/advisory/ntap-20190919-0002/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20190919-0002/"},{"name":"https://www.tenable.com/security/tns-2019-09","refsource":"CONFIRM","url":"https://www.tenable.com/security/tns-2019-09"},{"name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64","refsource":"CONFIRM","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64"},{"name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97","refsource":"CONFIRM","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97"},{"name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f","refsource":"CONFIRM","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"},{"name":"https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_medium=RSS","refsource":"CONFIRM","url":"https://support.f5.com/csp/article/K97324400?utm_source=f5support&utm_medium=RSS"},{"name":"USN-4376-2","refsource":"UBUNTU","url":"https://usn.ubuntu.com/4376-2/"},{"name":"USN-4504-1","refsource":"UBUNTU","url":"https://usn.ubuntu.com/4504-1/"},{"name":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"name":"https://kc.mcafee.com/corporate/index?page=content&id=SB10365","refsource":"CONFIRM","url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T18:20:28.307Z"},"title":"CVE Program Container","references":[{"name":"20190912 [slackware-security] openssl (SSA:2019-254-03)","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"https://seclists.org/bugtraq/2019/Sep/25"},{"name":"openSUSE-SU-2019:2158","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"},{"name":"FEDORA-2019-d15aac6c4e","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"},{"name":"openSUSE-SU-2019:2189","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"},{"name":"[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"},{"name":"FEDORA-2019-d51641f152","tags":["vendor-advisory","x_refsource_FEDORA","x_transferred"],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"},{"name":"20191001 [SECURITY] [DSA 4539-1] openssl security update","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"https://seclists.org/bugtraq/2019/Oct/1"},{"name":"20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"https://seclists.org/bugtraq/2019/Oct/0"},{"name":"DSA-4539","tags":["vendor-advisory","x_refsource_DEBIAN","x_transferred"],"url":"https://www.debian.org/security/2019/dsa-4539"},{"name":"DSA-4540","tags":["vendor-advisory","x_refsource_DEBIAN","x_transferred"],"url":"https://www.debian.org/security/2019/dsa-4540"},{"name":"openSUSE-SU-2019:2268","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"},{"name":"openSUSE-SU-2019:2269","tags":["vendor-advisory","x_refsource_SUSE","x_transferred"],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"},{"name":"GLSA-201911-04","tags":["vendor-advisory","x_refsource_GENTOO","x_transferred"],"url":"https://security.gentoo.org/glsa/201911-04"},{"name":"USN-4376-1","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/4376-1/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.openssl.org/news/secadv/20190910.txt"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20190919-0002/"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.tenable.com/security/tns-2019-09"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS"},{"name":"USN-4376-2","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/4376-2/"},{"name":"USN-4504-1","tags":["vendor-advisory","x_refsource_UBUNTU","x_transferred"],"url":"https://usn.ubuntu.com/4504-1/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}]}]},"cveMetadata":{"assignerOrgId":"3a12439a-ef3a-4c79-92e6-6081a721f1e5","assignerShortName":"openssl","cveId":"CVE-2019-1563","datePublished":"2019-09-10T16:58:35.407Z","dateReserved":"2018-11-28T00:00:00.000Z","dateUpdated":"2024-09-17T01:11:46.014Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}