SB2019091166 - Padding oracle attack in openssl (Alpine package)
Published: September 11, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Padding oracle attack (CVE-ID: CVE-2019-1563)
CWE-ID: CWE-310 - Cryptographic Issues
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to perform padding oracle attack.
The vulnerability exists due to possibility to perform a Bleichenbacher padding oracle attack against the RSA key, in situations where an attacker receives automated notification of the success or failure of a decryption attempt an attacker. A remote attacker can send a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=ffc9c8f6c5e6f3428ad97cae38f0037d4f0728c6
- https://git.alpinelinux.org/aports/commit/?id=6bf646bbc74a79f821c428aa7bfc0a9b4a931159
- https://git.alpinelinux.org/aports/commit/?id=033f9730873ed7526ced21e72ba16a2937bab220
- https://git.alpinelinux.org/aports/commit/?id=c5a3b0b6d1ecd85d52e16f330be9478aca853348
- https://git.alpinelinux.org/aports/commit/?id=02764f1bda32c4feca91b9bdc3b7870d637ff8a2
- https://git.alpinelinux.org/aports/commit/?id=09a199deeac384bd1f22bb26c2ec5b3bd60257a2
- https://git.alpinelinux.org/aports/commit/?id=95e4899bd4d379e6dde69de81fb0506e00322dec