Corrigido em
1.0.3
CVE-2019-1559 is a padding oracle vulnerability discovered in OpenSSL. This flaw arises when SSL_shutdown() is called twice after a fatal protocol error, leading to inconsistent responses based on padding validity. Exploitation can allow an attacker to decrypt data, particularly when using "non-stitched" cipher suites. Affected versions include OpenSSL 1.0.2 through 1.0.2q; a fix is available in OpenSSL 1.0.2r.
The core impact of CVE-2019-1559 is the potential for data decryption. An attacker can exploit this padding oracle by repeatedly sending encrypted data and observing OpenSSL's responses to determine the validity of padding. By analyzing these responses, the attacker can gradually decrypt the underlying data. This vulnerability is particularly concerning for systems handling sensitive information, such as financial transactions or personal data. The use of "non-stitched" cipher suites is a prerequisite for exploitation, limiting the scope but not eliminating the risk. Successful exploitation could lead to unauthorized access to confidential data and compromise the integrity of the system.
CVE-2019-1559 was published on February 27, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. Public Proof-of-Concept (PoC) code exists, demonstrating the feasibility of the padding oracle attack. The vulnerability's impact is contingent on the use of specific cipher suites, which may limit its widespread applicability. The NVD and CISA have published advisories regarding this vulnerability.
Status do Exploit
EPSS
6.39% (percentil 91%)
The primary mitigation for CVE-2019-1559 is to upgrade to OpenSSL 1.0.2r or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. These may include disabling or restricting the use of "non-stitched" cipher suites, although this can impact compatibility. Web Application Firewalls (WAFs) or proxy servers can be configured to inspect SSL/TLS traffic for suspicious padding patterns, but this is not a substitute for patching. Sigma rules and YARA patterns targeting OpenSSL padding oracle behavior can be used for detection. After upgrading, confirm the fix by attempting to trigger the vulnerable code path and verifying that the application behaves consistently regardless of padding validity.
Actualice la biblioteca OpenSSL a la versión 1.0.2r o superior. Esto solucionará la vulnerabilidad de padding oracle. Consulte las notas de la versión de OpenSSL para obtener más detalles sobre la actualización.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
It's a padding oracle vulnerability in OpenSSL 1.0.2 that allows attackers to potentially decrypt data by analyzing responses to crafted encrypted requests.
If you are using OpenSSL versions 1.0.2 through 1.0.2q, you are potentially affected. Upgrade to 1.0.2r or later.
Upgrade to OpenSSL 1.0.2r or later. Consider temporary workarounds like disabling non-stitched cipher suites if immediate patching isn't possible.
There's no current evidence of active exploitation campaigns, but PoC code exists, demonstrating the vulnerability's feasibility.
Refer to the OpenSSL security advisory and the National Vulnerability Database (NVD) entry for CVE-2019-1559.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.