csaf_suse - suse-su-2020:2634-1

Vulnerability from csaf_suse

Published

2020-09-15 09:19

Modified

2020-09-15 09:19

Summary

Security update for compat-openssl098

Notes

Title of the patch

Security update for compat-openssl098

Description of the patch

This update for compat-openssl098 fixes the following issues: - CVE-2020-1968: Introduced hardening against the Raccoon attack by always generating fresh DH keys and never reuse them across multiple TLS connections (bsc#1176331).

Patchnames

SUSE-2020-2634,SUSE-SLE-Module-Legacy-12-2020-2634,SUSE-SLE-SAP-12-SP2-2020-2634,SUSE-SLE-SAP-12-SP3-2020-2634,SUSE-SLE-SAP-12-SP4-2020-2634,SUSE-SLE-SAP-12-SP5-2020-2634

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "important",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Security update for compat-openssl098",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "This update for compat-openssl098 fixes the following issues:\n\n- CVE-2020-1968: Introduced hardening against the Raccoon attack by always generating fresh DH keys \n  and never reuse them across multiple TLS connections (bsc#1176331).\n",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "SUSE-2020-2634,SUSE-SLE-Module-Legacy-12-2020-2634,SUSE-SLE-SAP-12-SP2-2020-2634,SUSE-SLE-SAP-12-SP3-2020-2634,SUSE-SLE-SAP-12-SP4-2020-2634,SUSE-SLE-SAP-12-SP5-2020-2634",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2020_2634-1.json",
         },
         {
            category: "self",
            summary: "URL for SUSE-SU-2020:2634-1",
            url: "https://www.suse.com/support/update/announcement/2020/suse-su-20202634-1/",
         },
         {
            category: "self",
            summary: "E-Mail link for SUSE-SU-2020:2634-1",
            url: "https://lists.suse.com/pipermail/sle-security-updates/2020-September/007427.html",
         },
         {
            category: "self",
            summary: "SUSE Bug 1153785",
            url: "https://bugzilla.suse.com/1153785",
         },
         {
            category: "self",
            summary: "SUSE Bug 1176331",
            url: "https://bugzilla.suse.com/1176331",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2019-1563 page",
            url: "https://www.suse.com/security/cve/CVE-2019-1563/",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2020-1968 page",
            url: "https://www.suse.com/security/cve/CVE-2020-1968/",
         },
      ],
      title: "Security update for compat-openssl098",
      tracking: {
         current_release_date: "2020-09-15T09:19:00Z",
         generator: {
            date: "2020-09-15T09:19:00Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "SUSE-SU-2020:2634-1",
         initial_release_date: "2020-09-15T09:19:00Z",
         revision_history: [
            {
               date: "2020-09-15T09:19:00Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl0_9_8-0.9.8j-106.21.1.i586",
                        product: {
                           name: "libopenssl0_9_8-0.9.8j-106.21.1.i586",
                           product_id: "libopenssl0_9_8-0.9.8j-106.21.1.i586",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "i586",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl0_9_8-0.9.8j-106.21.1.s390",
                        product: {
                           name: "libopenssl0_9_8-0.9.8j-106.21.1.s390",
                           product_id: "libopenssl0_9_8-0.9.8j-106.21.1.s390",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl0_9_8-0.9.8j-106.21.1.s390x",
                        product: {
                           name: "libopenssl0_9_8-0.9.8j-106.21.1.s390x",
                           product_id: "libopenssl0_9_8-0.9.8j-106.21.1.s390x",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
                        product: {
                           name: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
                           product_id: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                        product: {
                           name: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                           product_id: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                        },
                     },
                     {
                        category: "product_version",
                        name: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
                        product: {
                           name: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
                           product_id: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Module for Legacy 12",
                        product: {
                           name: "SUSE Linux Enterprise Module for Legacy 12",
                           product_id: "SUSE Linux Enterprise Module for Legacy 12",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sle-module-legacy:12",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
                        product: {
                           name: "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
                           product_id: "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sles_sap:12:sp2",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
                        product: {
                           name: "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
                           product_id: "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sles_sap:12:sp3",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
                        product: {
                           name: "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
                           product_id: "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sles_sap:12:sp4",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                        product: {
                           name: "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                           product_id: "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sles_sap:12:sp5",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl0_9_8-0.9.8j-106.21.1.s390x as component of SUSE Linux Enterprise Module for Legacy 12",
               product_id: "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.s390x",
            },
            product_reference: "libopenssl0_9_8-0.9.8j-106.21.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Legacy 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64 as component of SUSE Linux Enterprise Module for Legacy 12",
               product_id: "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            },
            product_reference: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Legacy 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x as component of SUSE Linux Enterprise Module for Legacy 12",
               product_id: "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
            },
            product_reference: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Legacy 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64 as component of SUSE Linux Enterprise Module for Legacy 12",
               product_id: "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
            },
            product_reference: "libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Module for Legacy 12",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP2",
               product_id: "SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            },
            product_reference: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 12 SP2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP3",
               product_id: "SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            },
            product_reference: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 12 SP3",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4",
               product_id: "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            },
            product_reference: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 12 SP4",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5",
               product_id: "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            },
            product_reference: "libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 12 SP5",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2019-1563",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2019-1563",
            },
         ],
         notes: [
            {
               category: "general",
               text: "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.s390x",
               "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
               "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2019-1563",
               url: "https://www.suse.com/security/cve/CVE-2019-1563",
            },
            {
               category: "external",
               summary: "SUSE Bug 1150250 for CVE-2019-1563",
               url: "https://bugzilla.suse.com/1150250",
            },
            {
               category: "external",
               summary: "SUSE Bug 1154162 for CVE-2019-1563",
               url: "https://bugzilla.suse.com/1154162",
            },
            {
               category: "external",
               summary: "SUSE Bug 1156430 for CVE-2019-1563",
               url: "https://bugzilla.suse.com/1156430",
            },
            {
               category: "external",
               summary: "SUSE Bug 1205621 for CVE-2019-1563",
               url: "https://bugzilla.suse.com/1205621",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.s390x",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                  version: "3.0",
               },
               products: [
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.s390x",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2020-09-15T09:19:00Z",
               details: "moderate",
            },
         ],
         title: "CVE-2019-1563",
      },
      {
         cve: "CVE-2020-1968",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2020-1968",
            },
         ],
         notes: [
            {
               category: "general",
               text: "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.s390x",
               "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
               "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2020-1968",
               url: "https://www.suse.com/security/cve/CVE-2020-1968",
            },
            {
               category: "external",
               summary: "SUSE Bug 1176331 for CVE-2020-1968",
               url: "https://bugzilla.suse.com/1176331",
            },
            {
               category: "external",
               summary: "SUSE Bug 1177243 for CVE-2020-1968",
               url: "https://bugzilla.suse.com/1177243",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.s390x",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.s390x",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.s390x",
                  "SUSE Linux Enterprise Module for Legacy 12:libopenssl0_9_8-32bit-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP2:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP3:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP4:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 12 SP5:libopenssl0_9_8-0.9.8j-106.21.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2020-09-15T09:19:00Z",
               details: "moderate",
            },
         ],
         title: "CVE-2020-1968",
      },
   ],
}

cve-2019-1563

Vulnerability from cvelistv5

Published

2019-09-10 16:58

Modified

2024-09-17 01:11

Severity ?

Summary

In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

References

▼	URL	Tags
	https://seclists.org/bugtraq/2019/Sep/25	mailing-list, x_refsource_BUGTRAQ
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html	vendor-advisory, x_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/	vendor-advisory, x_refsource_FEDORA
	http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html	vendor-advisory, x_refsource_SUSE
	https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html	mailing-list, x_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/	vendor-advisory, x_refsource_FEDORA
	https://seclists.org/bugtraq/2019/Oct/1	mailing-list, x_refsource_BUGTRAQ
	https://seclists.org/bugtraq/2019/Oct/0	mailing-list, x_refsource_BUGTRAQ
	https://www.debian.org/security/2019/dsa-4539	vendor-advisory, x_refsource_DEBIAN
	https://www.debian.org/security/2019/dsa-4540	vendor-advisory, x_refsource_DEBIAN
	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html	vendor-advisory, x_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html	vendor-advisory, x_refsource_SUSE
	https://security.gentoo.org/glsa/201911-04	vendor-advisory, x_refsource_GENTOO
	https://usn.ubuntu.com/4376-1/	vendor-advisory, x_refsource_UBUNTU
	https://www.oracle.com/security-alerts/cpuapr2020.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujul2020.html	x_refsource_MISC
	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	x_refsource_MISC
	https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC
	https://www.openssl.org/news/secadv/20190910.txt	x_refsource_CONFIRM
	http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-20190919-0002/	x_refsource_CONFIRM
	https://www.tenable.com/security/tns-2019-09	x_refsource_CONFIRM
	https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64	x_refsource_CONFIRM
	https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97	x_refsource_CONFIRM
	https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f	x_refsource_CONFIRM
	https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS	x_refsource_CONFIRM
	https://usn.ubuntu.com/4376-2/	vendor-advisory, x_refsource_UBUNTU
	https://usn.ubuntu.com/4504-1/	vendor-advisory, x_refsource_UBUNTU
	https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC
	https://kc.mcafee.com/corporate/index?page=content&id=SB10365	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Version: Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c) Version: Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k) Version: Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T18:20:28.307Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "20190912 [slackware-security] openssl (SSA:2019-254-03)",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "https://seclists.org/bugtraq/2019/Sep/25",
               },
               {
                  name: "openSUSE-SU-2019:2158",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html",
               },
               {
                  name: "FEDORA-2019-d15aac6c4e",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
               },
               {
                  name: "openSUSE-SU-2019:2189",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html",
               },
               {
                  name: "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_MLIST",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html",
               },
               {
                  name: "FEDORA-2019-d51641f152",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_FEDORA",
                     "x_transferred",
                  ],
                  url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
               },
               {
                  name: "20191001 [SECURITY] [DSA 4539-1] openssl security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "https://seclists.org/bugtraq/2019/Oct/1",
               },
               {
                  name: "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "https://seclists.org/bugtraq/2019/Oct/0",
               },
               {
                  name: "DSA-4539",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2019/dsa-4539",
               },
               {
                  name: "DSA-4540",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_DEBIAN",
                     "x_transferred",
                  ],
                  url: "https://www.debian.org/security/2019/dsa-4540",
               },
               {
                  name: "openSUSE-SU-2019:2268",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
               },
               {
                  name: "openSUSE-SU-2019:2269",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_SUSE",
                     "x_transferred",
                  ],
                  url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
               },
               {
                  name: "GLSA-201911-04",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_GENTOO",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/201911-04",
               },
               {
                  name: "USN-4376-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4376-1/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuapr2020.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujul2020.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2020.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.openssl.org/news/secadv/20190910.txt",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20190919-0002/",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://www.tenable.com/security/tns-2019-09",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS",
               },
               {
                  name: "USN-4376-2",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4376-2/",
               },
               {
                  name: "USN-4504-1",
                  tags: [
                     "vendor-advisory",
                     "x_refsource_UBUNTU",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4504-1/",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2020.html",
               },
               {
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10365",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "OpenSSL",
               vendor: "OpenSSL",
               versions: [
                  {
                     status: "affected",
                     version: "Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)",
                  },
                  {
                     status: "affected",
                     version: "Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)",
                  },
                  {
                     status: "affected",
                     version: "Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Bernd Edlinger",
            },
         ],
         datePublic: "2019-09-10T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     lang: "eng",
                     url: "https://www.openssl.org/policies/secpolicy.html#Low",
                     value: "Low",
                  },
                  type: "unknown",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Padding Oracle",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2021-07-31T07:06:42",
            orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
            shortName: "openssl",
         },
         references: [
            {
               name: "20190912 [slackware-security] openssl (SSA:2019-254-03)",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "https://seclists.org/bugtraq/2019/Sep/25",
            },
            {
               name: "openSUSE-SU-2019:2158",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html",
            },
            {
               name: "FEDORA-2019-d15aac6c4e",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
            },
            {
               name: "openSUSE-SU-2019:2189",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html",
            },
            {
               name: "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update",
               tags: [
                  "mailing-list",
                  "x_refsource_MLIST",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html",
            },
            {
               name: "FEDORA-2019-d51641f152",
               tags: [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
               ],
               url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
            },
            {
               name: "20191001 [SECURITY] [DSA 4539-1] openssl security update",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "https://seclists.org/bugtraq/2019/Oct/1",
            },
            {
               name: "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "https://seclists.org/bugtraq/2019/Oct/0",
            },
            {
               name: "DSA-4539",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2019/dsa-4539",
            },
            {
               name: "DSA-4540",
               tags: [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
               ],
               url: "https://www.debian.org/security/2019/dsa-4540",
            },
            {
               name: "openSUSE-SU-2019:2268",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
            },
            {
               name: "openSUSE-SU-2019:2269",
               tags: [
                  "vendor-advisory",
                  "x_refsource_SUSE",
               ],
               url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
            },
            {
               name: "GLSA-201911-04",
               tags: [
                  "vendor-advisory",
                  "x_refsource_GENTOO",
               ],
               url: "https://security.gentoo.org/glsa/201911-04",
            },
            {
               name: "USN-4376-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4376-1/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuapr2020.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujul2020.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpujan2020.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.openssl.org/news/secadv/20190910.txt",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://security.netapp.com/advisory/ntap-20190919-0002/",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://www.tenable.com/security/tns-2019-09",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=08229ad838c50f644d7e928e2eef147b4308ad64",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=631f94db0065c78181ca9ba5546ebc8bb3884b97",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp%3Butm_medium=RSS",
            },
            {
               name: "USN-4376-2",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4376-2/",
            },
            {
               name: "USN-4504-1",
               tags: [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
               ],
               url: "https://usn.ubuntu.com/4504-1/",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://www.oracle.com/security-alerts/cpuoct2020.html",
            },
            {
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10365",
            },
         ],
         title: "Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "openssl-security@openssl.org",
               DATE_PUBLIC: "2019-09-10",
               ID: "CVE-2019-1563",
               STATE: "PUBLIC",
               TITLE: "Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "OpenSSL",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)",
                                       },
                                       {
                                          version_value: "Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)",
                                       },
                                       {
                                          version_value: "Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "OpenSSL",
                     },
                  ],
               },
            },
            credit: [
               {
                  lang: "eng",
                  value: "Bernd Edlinger",
               },
            ],
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "In situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker, after sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack. Applications are not affected if they use a certificate together with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).",
                  },
               ],
            },
            impact: [
               {
                  lang: "eng",
                  url: "https://www.openssl.org/policies/secpolicy.html#Low",
                  value: "Low",
               },
            ],
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "Padding Oracle",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "20190912 [slackware-security] openssl (SSA:2019-254-03)",
                     refsource: "BUGTRAQ",
                     url: "https://seclists.org/bugtraq/2019/Sep/25",
                  },
                  {
                     name: "openSUSE-SU-2019:2158",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html",
                  },
                  {
                     name: "FEDORA-2019-d15aac6c4e",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/",
                  },
                  {
                     name: "openSUSE-SU-2019:2189",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html",
                  },
                  {
                     name: "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update",
                     refsource: "MLIST",
                     url: "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html",
                  },
                  {
                     name: "FEDORA-2019-d51641f152",
                     refsource: "FEDORA",
                     url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/",
                  },
                  {
                     name: "20191001 [SECURITY] [DSA 4539-1] openssl security update",
                     refsource: "BUGTRAQ",
                     url: "https://seclists.org/bugtraq/2019/Oct/1",
                  },
                  {
                     name: "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update",
                     refsource: "BUGTRAQ",
                     url: "https://seclists.org/bugtraq/2019/Oct/0",
                  },
                  {
                     name: "DSA-4539",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2019/dsa-4539",
                  },
                  {
                     name: "DSA-4540",
                     refsource: "DEBIAN",
                     url: "https://www.debian.org/security/2019/dsa-4540",
                  },
                  {
                     name: "openSUSE-SU-2019:2268",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html",
                  },
                  {
                     name: "openSUSE-SU-2019:2269",
                     refsource: "SUSE",
                     url: "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html",
                  },
                  {
                     name: "GLSA-201911-04",
                     refsource: "GENTOO",
                     url: "https://security.gentoo.org/glsa/201911-04",
                  },
                  {
                     name: "USN-4376-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4376-1/",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuapr2020.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuapr2020.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujul2020.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujul2020.html",
                  },
                  {
                     name: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpujan2020.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpujan2020.html",
                  },
                  {
                     name: "https://www.openssl.org/news/secadv/20190910.txt",
                     refsource: "CONFIRM",
                     url: "https://www.openssl.org/news/secadv/20190910.txt",
                  },
                  {
                     name: "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
                     refsource: "MISC",
                     url: "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html",
                  },
                  {
                     name: "https://security.netapp.com/advisory/ntap-20190919-0002/",
                     refsource: "CONFIRM",
                     url: "https://security.netapp.com/advisory/ntap-20190919-0002/",
                  },
                  {
                     name: "https://www.tenable.com/security/tns-2019-09",
                     refsource: "CONFIRM",
                     url: "https://www.tenable.com/security/tns-2019-09",
                  },
                  {
                     name: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
                     refsource: "CONFIRM",
                     url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=08229ad838c50f644d7e928e2eef147b4308ad64",
                  },
                  {
                     name: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
                     refsource: "CONFIRM",
                     url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=631f94db0065c78181ca9ba5546ebc8bb3884b97",
                  },
                  {
                     name: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
                     refsource: "CONFIRM",
                     url: "https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e21f8cf78a125cd3c8c0d1a1a6c8bb0b901f893f",
                  },
                  {
                     name: "https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp;utm_medium=RSS",
                     refsource: "CONFIRM",
                     url: "https://support.f5.com/csp/article/K97324400?utm_source=f5support&amp;utm_medium=RSS",
                  },
                  {
                     name: "USN-4376-2",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4376-2/",
                  },
                  {
                     name: "USN-4504-1",
                     refsource: "UBUNTU",
                     url: "https://usn.ubuntu.com/4504-1/",
                  },
                  {
                     name: "https://www.oracle.com/security-alerts/cpuoct2020.html",
                     refsource: "MISC",
                     url: "https://www.oracle.com/security-alerts/cpuoct2020.html",
                  },
                  {
                     name: "https://kc.mcafee.com/corporate/index?page=content&id=SB10365",
                     refsource: "CONFIRM",
                     url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10365",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
      assignerShortName: "openssl",
      cveId: "CVE-2019-1563",
      datePublished: "2019-09-10T16:58:35.407714Z",
      dateReserved: "2018-11-28T00:00:00",
      dateUpdated: "2024-09-17T01:11:46.014Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

cve-2020-1968

Vulnerability from cvelistv5

Published

2020-09-09 13:50

Modified

2024-09-16 19:50

Severity ?

Summary

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

References

▼	URL	Tags
	https://www.openssl.org/news/secadv/20200909.txt
	https://usn.ubuntu.com/4504-1/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html	mailing-list
	https://www.oracle.com/security-alerts/cpujan2021.html
	https://security.netapp.com/advisory/ntap-20200911-0004/
	https://www.oracle.com/security-alerts/cpuApr2021.html
	https://www.oracle.com//security-alerts/cpujul2021.html
	https://www.oracle.com/security-alerts/cpuoct2021.html
	https://www.oracle.com/security-alerts/cpuapr2022.html
	https://security.gentoo.org/glsa/202210-02	vendor-advisory

Impacted products

	Vendor	Product	Version
	OpenSSL	OpenSSL	Version: Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v)

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-04T06:54:00.367Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.openssl.org/news/secadv/20200909.txt",
               },
               {
                  name: "USN-4504-1",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://usn.ubuntu.com/4504-1/",
               },
               {
                  name: "[debian-lts-announce] 20200925 [SECURITY] [DLA 2378-1] openssl1.0 security update",
                  tags: [
                     "mailing-list",
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpujan2021.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20200911-0004/",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com//security-alerts/cpujul2021.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
               },
               {
                  name: "GLSA-202210-02",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202210-02",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "OpenSSL",
               vendor: "OpenSSL",
               versions: [
                  {
                     status: "affected",
                     version: "Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v)",
                  },
               ],
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky",
            },
         ],
         datePublic: "2020-09-09T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     lang: "eng",
                     url: "https://www.openssl.org/policies/secpolicy.html#Low",
                     value: "Low",
                  },
                  type: "unknown",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "Protocol flaw",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2022-10-16T00:00:00",
            orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
            shortName: "openssl",
         },
         references: [
            {
               url: "https://www.openssl.org/news/secadv/20200909.txt",
            },
            {
               name: "USN-4504-1",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://usn.ubuntu.com/4504-1/",
            },
            {
               name: "[debian-lts-announce] 20200925 [SECURITY] [DLA 2378-1] openssl1.0 security update",
               tags: [
                  "mailing-list",
               ],
               url: "https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpujan2021.html",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20200911-0004/",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpuApr2021.html",
            },
            {
               url: "https://www.oracle.com//security-alerts/cpujul2021.html",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpuoct2021.html",
            },
            {
               url: "https://www.oracle.com/security-alerts/cpuapr2022.html",
            },
            {
               name: "GLSA-202210-02",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202210-02",
            },
         ],
         title: "Raccoon attack",
      },
   },
   cveMetadata: {
      assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
      assignerShortName: "openssl",
      cveId: "CVE-2020-1968",
      datePublished: "2020-09-09T13:50:12.423004Z",
      dateReserved: "2019-12-03T00:00:00",
      dateUpdated: "2024-09-16T19:50:54.434Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_suse

cve-2019-1563

Vulnerability from cvelistv5

cve-2020-1968

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature