PT-2019-3786 · Openssl+7 · Openssl+7
Bernd Edlinger
·
Published
2019-09-10
·
Updated
2026-04-27
·
CVE-2019-1563
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions 1.0.2 through 1.0.2s
OpenSSL versions 1.1.0 through 1.1.0k
OpenSSL versions 1.1.1 through 1.1.1c
Description
The issue is related to a padding oracle attack in the
PKCS7 dataDecode and CMS decrypt set1 pkey functions, allowing an attacker to recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key. This can be achieved by sending a large number of messages to be decrypted. Applications using a certificate together with the private RSA key to select the correct recipient info to decrypt are not affected.Recommendations
For OpenSSL versions 1.0.2 through 1.0.2s, update to version 1.0.2t.
For OpenSSL versions 1.1.0 through 1.1.0k, update to version 1.1.0l.
For OpenSSL versions 1.1.1 through 1.1.1c, update to version 1.1.1d.
Exploit
Fix
Missing Encryption of Sensitive Data
Use of a Broken Cryptographic Algorithm
Side Channel Attack
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Ibm Aix
Openssl
Red Hat
Suse
Ubuntu