CVE-2019-1559

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.2 through 1.0.2q PAN-OS versions prior to 7.1.25 PAN-OS versions prior to 8.0.20 PAN-OS versions prior to 8.1.8 PAN-OS versions prior to 9.0.2 MySQL Server versions 5.6.43 and earlier MySQL Server versions 5.7.25 and earlier MySQL Server versions 8.0.15 and earlier

Description The issue is related to the SSL shutdown() function in OpenSSL, which can respond differently to a calling application when a 0 byte record is received with invalid padding compared to an invalid MAC. This can be used as a padding oracle to decrypt data if "non-stitched" ciphersuites are in use and the application calls SSL shutdown() twice, even after a protocol error. The vulnerability can allow a remote attacker to obtain sensitive information or compromise the MySQL Server.

Recommendations For OpenSSL versions 1.0.2 through 1.0.2q, update to version 1.0.2r. For PAN-OS versions prior to 7.1.25, update to version 7.1.25 or later. For PAN-OS versions prior to 8.0.20, update to version 8.0.20 or later. For PAN-OS versions prior to 8.1.8, update to version 8.1.8 or later. For PAN-OS versions prior to 9.0.2, update to version 9.0.2 or later. For MySQL Server versions 5.6.43 and earlier, update to a version later than 5.6.43. For MySQL Server versions 5.7.25 and earlier, update to a version later than 5.7.25. For MySQL Server versions 8.0.15 and earlier, update to a version later than 8.0.15. As a temporary workaround, consider restricting the use of "non-stitched" ciphersuites and avoiding the call to SSL shutdown() twice, even after a protocol error.