Vulnerabilities > CVE-2019-1559 - Information Exposure Through Discrepancy vulnerability in multiple products

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE

Summary

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Vulnerable Configurations

Part Description Count
Application
Openssl
22
Application
Netapp
37
Application
F5
1002
Application
Tenable
95
Application
Mcafee
186
Application
Redhat
3
Application
Oracle
209
Application
Nodejs
73
OS
Canonical
3
OS
Debian
2
OS
Opensuse
3
OS
Netapp
7
OS
Fedoraproject
3
OS
Redhat
9
OS
Paloaltonetworks
66
Hardware
Netapp
8

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0658-1.NASL
    descriptionThis update for nodejs4 fixes the following issues : Security issues fixed : CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127533). CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532). CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122999
    published2019-03-21
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122999
    titleSUSE SLES12 Security Update : nodejs4 (SUSE-SU-2019:0658-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B71D71933C5411E9A3F900155D006B02.NASL
    descriptionNode.js reports : Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability. For these releases, we have decided to withhold the fix for the Misinterpretation of Input (CWE-115) flaw mentioned in the original announcement. This flaw is very low severity and we are not satisfied that we had a complete and stable fix ready for release. We will be seeking to address this flaw via alternate mechanisms in the near future. In addition, we have introduced an additional CVE for a change in Node.js 6 that we have decided to classify as a Denial of Service (CWE-400) flaw. We recommend that all Node.js users upgrade to a version listed below as soon as possible. OpenSSL: 0-byte record padding oracle (CVE-2019-1559) OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this vulnerability as they use newer versions of OpenSSL which do not contain the flaw. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data. Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. We are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. We are taking a cautionary approach and recommend the same for users. For more information, see the advisory and a detailed write-up by the reporters of the vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id122571
    published2019-03-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122571
    titleFreeBSD : Node.js -- multiple vulnerabilities (b71d7193-3c54-11e9-a3f9-00155d006b02)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2471.NASL
    descriptionAn update for openssl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es) : * openssl: 0-byte record padding oracle (CVE-2019-1559) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127877
    published2019-08-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127877
    titleRHEL 6 : openssl (RHSA-2019:2471)
  • NASL familyAIX Local Security Checks
    NASL idAIX_OPENSSL_ADVISORY30.NASL
    descriptionThe version of OpenSSL installed on the remote AIX host is affected by a side channel attack information disclosure vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id125708
    published2019-06-05
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125708
    titleAIX OpenSSL Advisory : openssl_advisory30.asc
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-9A0A7C0986.NASL
    descriptionPatch for CVE-2018-0737, CVE-2018-0732, CVE-2018-0734, CVE-2019-1552, CVE-2019-1559. https://www.openssl.org/news/vulnerabilities.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129368
    published2019-09-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129368
    titleFedora 29 : 1:compat-openssl10 (2019-9a0a7c0986)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1637.NASL
    descriptionThis update for compat-openssl098 fixes the following issues : - CVE-2019-1559: Fix 0-byte record padding oracle via SSL_shutdown (bsc#1127080) - Reject invalid EC point coordinates (bsc#1131291) - Fixed
    last seen2020-06-01
    modified2020-06-02
    plugin id126327
    published2019-06-28
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126327
    titleopenSUSE Security Update : compat-openssl098 (openSUSE-2019-1637)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1188.NASL
    descriptionA microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.(CVE-2018-5407) If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-06-01
    modified2020-06-02
    plugin id124124
    published2019-04-18
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124124
    titleAmazon Linux 2 : openssl (ALAS-2019-1188)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-DB06EFDEA1.NASL
    descriptionPatch for CVE-2018-0737, CVE-2018-0732, CVE-2018-0734, CVE-2019-1552, CVE-2019-1559. https://www.openssl.org/news/vulnerabilities.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129653
    published2019-10-07
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129653
    titleFedora 31 : 1:compat-openssl10 (2019-db06efdea1)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2019-2471.NASL
    descriptionAn update for openssl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es) : * openssl: 0-byte record padding oracle (CVE-2019-1559) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id128111
    published2019-08-23
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128111
    titleVirtuozzo 6 : openssl / openssl-devel / openssl-perl / etc (VZLSA-2019-2471)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2471.NASL
    descriptionAn update for openssl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es) : * openssl: 0-byte record padding oracle (CVE-2019-1559) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127918
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127918
    titleCentOS 6 : openssl (CESA-2019:2471)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2439.NASL
    descriptionAn update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. The following packages have been upgraded to a later upstream version: rhvm-appliance (4.3). (BZ#1669364, BZ#1684987, BZ#1697231, BZ#1720255) Security Fix(es) : * rsyslog: imptcp: integer overflow when Octet-Counted TCP Framing is enabled (CVE-2018-16881) * openssl: 0-byte record padding oracle (CVE-2019-1559) * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127830
    published2019-08-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127830
    titleRHEL 7 : Virtualization Manager (RHSA-2019:2439)
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_JUL_2019_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - An unspecified vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: Connector Framework (Apache CXF)), which could allow an unauthenticated, remote attacker to compromise Enterprise Manager Base Platform. (CVE-2018-8039) - An unspecified vulnerability in the Oracle Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: Valid Session (Apache ActiveMQ)), which could allow an unauthenticated, remote attacker to compromise Oracle Enterprise Manager Base Platform. (CVE-2019-0222) - An unspecified vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: Discovery Framework (OpenSSL)), which could allow and unauthenticated, remote attacker to compromise Enterprise Manager Base Platform. (CVE-2019-1559)
    last seen2020-06-01
    modified2020-06-02
    plugin id126775
    published2019-07-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126775
    titleOracle Enterprise Manager Cloud Control (Jul 2019 CPU)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2304.NASL
    descriptionAn update for openssl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es) : * openssl: 0-byte record padding oracle (CVE-2019-1559) * openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127710
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127710
    titleRHEL 7 : openssl (RHSA-2019:2304)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2020-0019_OPENSSL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has openssl packages installed that are affected by a vulnerability: - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable non- stitched ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). (CVE-2019-1559) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2020-03-08
    plugin id134318
    published2020-03-08
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134318
    titleNewStart CGSL MAIN 4.05 : openssl Vulnerability (NS-SA-2020-0019)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190813_OPENSSL_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - openssl: 0-byte record padding oracle (CVE-2019-1559) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2019-08-14
    plugin id127881
    published2019-08-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127881
    titleScientific Linux Security Update : openssl on SL6.x i386/x86_64 (20190813)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1105.NASL
    descriptionThis update for openssl-1_0_0 fixes the following issues : Security issues fixed : - The 9 Lives of Bleichenbacher
    last seen2020-06-01
    modified2020-06-02
    plugin id123652
    published2019-04-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123652
    titleopenSUSE Security Update : openssl-1_0_0 (openSUSE-2019-1105)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1076.NASL
    descriptionThis update for nodejs4 fixes the following issues : Security issues fixed : - CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127533). - CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532). - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).	 This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123495
    published2019-03-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123495
    titleopenSUSE Security Update : nodejs4 (openSUSE-2019-1076)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1173.NASL
    descriptionThis update for nodejs6 to version 6.17.0 fixes the following issues : Security issues fixed : - CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127533). - CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532). - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). Release Notes: https://nodejs.org/en/blog/release/v6.17.0/ This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123919
    published2019-04-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123919
    titleopenSUSE Security Update : nodejs6 (openSUSE-2019-1173)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_JSA10949.NASL
    descriptionThe version of Junos OS installed on the remote host is prior to 12.3X48-D80, 14.1X53-D51, 15.1F6-S13, 15.1X49-D171, 15.1X53-D238, 16.1R7-S5, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.3R3-S4, 17.4R1-S7, 18.1R2-S4, 18.2R1-S5, 18.2X75-D50, 18.3R1-S3, 18.4R1-S2, or 19.1R1-S1. It is, therefore, affected by a vulnerability as referenced in the JSA10949 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id130516
    published2019-11-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130516
    titleJuniper JSA10949
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1145.NASL
    descriptionAccording to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information.(CVE-2018-5407) - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-05-06
    modified2019-04-02
    plugin id123619
    published2019-04-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123619
    titleEulerOS 2.0 SP5 : openssl (EulerOS-SA-2019-1145)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1701.NASL
    descriptionJuraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL. If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-06-01
    modified2020-06-02
    plugin id122549
    published2019-03-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122549
    titleDebian DLA-1701-1 : openssl security update
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1548.NASL
    descriptionAccording to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A race condition was found in the session handling code of OpenSSL. This issue could possibly cause a multi-threaded TLS/SSL client using OpenSSL to double free session ticket data and crash.(CVE-2015-1791) - An out-of-bounds read flaw was found in the X509_cmp_time() function of OpenSSL, which is used to test the expiry dates of SSL/TLS certificates. An attacker could possibly use a specially crafted SSL/TLS certificate or CRL (Certificate Revocation List), which when parsed by an application would cause that application to crash.(CVE-2015-1789) - The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length.(CVE-2009-0590) - An invalid-free flaw was found in the way OpenSSL handled certain DTLS handshake messages. A malicious DTLS client or server could send a specially crafted message to the peer, which could cause the application to crash or potentially result in arbitrary code execution.(CVE-2014-8176) - The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.(CVE-2011-4108) - Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.(CVE-2007-5135) - A NULL pointer dereference flaw was found in the DTLS implementation of OpenSSL. A remote attacker could send a specially crafted DTLS message, which would cause an OpenSSL server to crash.(CVE-2014-3571) - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.(CVE-2012-2110) - It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle.(CVE-2016-0703) - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.(CVE-2009-1386) - Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.(CVE-2009-4355) - A flaw was discovered in the way OpenSSL handled DTLS packets. A remote attacker could use this flaw to cause a DTLS server or client using OpenSSL to crash or use excessive amounts of memory.(CVE-2014-3507) - The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of
    last seen2020-06-01
    modified2020-06-02
    plugin id125001
    published2019-05-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125001
    titleEulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1548)
  • NASL familyMisc.
    NASL idNESSUS_TNS_2019_02.NASL
    descriptionAccording to its self-reported version, the Tenable Nessus application running on the remote host is prior to 8.3.0. It is, therefore, affected by: - An information disclosure vulnerability exists in OpenSSL. A remote attacker may be able to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. (CVE-2019-1559) - A denial of service (DoS) vulnerability exists in the moment module before 2.19.3 for Node.js. An unauthenticated, remote attacker can exploit this issue, via regular expression of crafted date string different than CVE-2016-4055 to cause the CPU consumption. (CVE-2017-18214) - A denial of service (DoS) vulnerability exists in the duration function in the moment package before 2.11.2 for Node.js. An unauthenticated, remote attackers can exploit this issue, via date string ReDoS which will cause CPU consumption. (CVE-2016-4055)
    last seen2020-06-01
    modified2020-06-02
    plugin id123462
    published2019-03-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123462
    titleTenable Nessus < 8.3.0 Multiple Vulnerabilities (TNS-2019-02)
  • NASL familyDatabases
    NASL idMYSQL_5_6_44.NASL
    descriptionThe version of MySQL running on the remote host is 5.6.x prior to 5.6.44. It is, therefore, affected by multiple vulnerabilities, including three of the top vulnerabilities below, as noted in the April 2019 Critical Patch Update advisory: - An unspecified vulnerability in the
    last seen2020-04-18
    modified2019-04-18
    plugin id124158
    published2019-04-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124158
    titleMySQL 5.6.x < 5.6.44 Multiple Vulnerabilities (Apr 2019 CPU)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3899-1.NASL
    descriptionJuraj Somorovsky, Robert Merget, and Nimrod Aviram discovered that certain applications incorrectly used OpenSSL and could be exposed to a padding oracle attack. A remote attacker could possibly use this issue to decrypt data. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122500
    published2019-02-28
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122500
    titleUbuntu 16.04 LTS / 18.04 LTS / 18.10 : openssl, openssl1.0 vulnerability (USN-3899-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2019-1188.NASL
    descriptionA microprocessor side-channel vulnerability was found on SMT (e.g, Hyper-Threading) architectures. An attacker running a malicious process on the same core of the processor as the victim process can extract certain secret information. (CVE-2018-5407) If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-06-01
    modified2020-06-02
    plugin id123957
    published2019-04-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123957
    titleAmazon Linux AMI : openssl (ALAS-2019-1188)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1175.NASL
    descriptionThis update for openssl fixes the following issues : Security issues fixed : - The 9 Lives of Bleichenbacher
    last seen2020-06-01
    modified2020-06-02
    plugin id123920
    published2019-04-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123920
    titleopenSUSE Security Update : openssl (openSUSE-2019-1175)
  • NASL familyMisc.
    NASL idORACLE_MYSQL_CONNECTORS_CPU_APR_2019.NASL
    descriptionThe version of Oracle MySQL Connectors installed on the remote host is 8.0.x prior to 8.0.16 or 5.3.x prior to 5.3.13. It is, therefore, affected by multiple vulnerabilities as noted in the April 2019 Critical Patch Update advisory: - An unspecified vulnerability in Connector/J subcomponent. An authenticated attacker can exploit this issue, to take a full control over the target system. (CVE-2019-2692) - A padding oracle vulnerability exists in Connector/ODBC (OpenSSL) subcomponent. If the application is configured to use
    last seen2020-04-18
    modified2019-05-22
    plugin id125340
    published2019-05-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125340
    titleOracle MySQL Connectors Multiple Vulnerabilities (Apr 2019 CPU)
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_OPS_CENTER_JUL_2019_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component: - An unspecified vulnerability in Networking (cURL) subcomponent of Oracle Enterprise Manager Ops Center, which could allow an unauthenticated attacker with network access to compromise Enterprise Manager Ops Center. (CVE-2019-3822) - An unspecified vulnerability in Networking (OpenSSL) subcomponent of Oracle Enterprise Manager Ops Center, which could allow an unauthenticated attacker with network access to compromise Enterprise Manager Ops Center. (CVE-2019-1559) - An unspecified vulnerability in Networking (OpenSSL) subcomponent of Oracle Enterprise Manager Ops Center, which could allow a low privileged attacker with network access to compromise Enterprise Manager Ops Center. (CVE-2019-2728)
    last seen2020-06-01
    modified2020-06-02
    plugin id126777
    published2019-07-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126777
    titleOracle Enterprise Manager Ops Center (Jul 2019 CPU)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-1608-1.NASL
    descriptionThis update for compat-openssl098 fixes the following issues : CVE-2019-1559: Fix 0-byte record padding oracle via SSL_shutdown (bsc#1127080) Reject invalid EC point coordinates (bsc#1131291) Fixed
    last seen2020-06-01
    modified2020-06-02
    plugin id126162
    published2019-06-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126162
    titleSUSE SLED12 / SLES12 Security Update : compat-openssl098 (SUSE-SU-2019:1608-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2304.NASL
    descriptionAn update for openssl is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es) : * openssl: 0-byte record padding oracle (CVE-2019-1559) * openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id128388
    published2019-08-30
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128388
    titleCentOS 7 : openssl (CESA-2019:2304)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2019-0040.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Oracle bug 28730228: backport (CVE-2018-0732) - Oracle bug 28758493: backport (CVE-2018-0737) - Merge upstream patch to fix (CVE-2018-0739) - Avoid out-of-bounds read. Fixes CVE-2017-3735. By Rich Salz - sha256 is used for the RSA pairwise consistency test instead of sha1 - fix CVE-2019-1559 - 0-byte record padding oracle
    last seen2020-06-01
    modified2020-06-02
    plugin id127975
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127975
    titleOracleVM 3.4 : openssl (OVMSA-2019-0040)
  • NASL familyDatabases
    NASL idMYSQL_5_7_27.NASL
    descriptionThe version of MySQL running on the remote host is 5.7.x prior to 5.7.26. It is, therefore, affected by multiple vulnerabilities, including three of the top vulnerabilities below, as noted in the April 2019 Critical Patch Update advisory: - An unspecified vulnerability in MySQL in the
    last seen2020-04-18
    modified2019-04-18
    plugin id124159
    published2019-04-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124159
    titleMySQL 5.7.x < 5.7.26 Multiple Vulnerabilities (Apr 2019 CPU) (Jul 2019 CPU)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1258.NASL
    descriptionAccording to the version of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-03-19
    modified2019-04-04
    plugin id123726
    published2019-04-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123726
    titleEulerOS Virtualization 2.5.3 : openssl (EulerOS-SA-2019-1258)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1325.NASL
    descriptionAccording to the version of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-05-06
    modified2019-05-06
    plugin id124611
    published2019-05-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124611
    titleEulerOS 2.0 SP2 : openssl (EulerOS-SA-2019-1325)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0803-1.NASL
    descriptionThis update for openssl fixes the following issues : Security issues fixed : The 9 Lives of Bleichenbacher
    last seen2020-06-01
    modified2020-06-02
    plugin id123547
    published2019-04-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123547
    titleSUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2019:0803-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-3929.NASL
    descriptionUpdated Red Hat JBoss Web Server 5.2.0 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.2 serves as a replacement for Red Hat JBoss Web Server 5.1, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es) : * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) * openssl: 0-byte record padding oracle (CVE-2019-1559) * tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072) * tomcat: XSS in SSI printenv (CVE-2019-0221) * tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2019-11-22
    plugin id131214
    published2019-11-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131214
    titleRHEL 6 / 7 / 8 : JBoss Web Server (RHSA-2019:3929)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2019-057-01.NASL
    descriptionNew openssl packages are available for Slackware 14.2 to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id122469
    published2019-02-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122469
    titleSlackware 14.2 : openssl (slackware 14.2) (SSA:2019-057-01)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4400.NASL
    descriptionJuraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL.
    last seen2020-06-01
    modified2020-06-02
    plugin id122519
    published2019-03-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122519
    titleDebian DSA-4400-1 : openssl1.0 - security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190806_OPENSSL_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - openssl: 0-byte record padding oracle (CVE-2019-1559) - openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734)
    last seen2020-03-18
    modified2019-08-27
    plugin id128247
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128247
    titleScientific Linux Security Update : openssl on SL7.x x86_64 (20190806)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0176_OPENSSL.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.06, has openssl packages installed that are affected by a vulnerability: - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable non- stitched ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). (CVE-2019-1559) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id128687
    published2019-09-11
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128687
    titleNewStart CGSL MAIN 4.06 : openssl Vulnerability (NS-SA-2019-0176)
  • NASL familyDatabases
    NASL idMYSQL_8_0_16.NASL
    descriptionThe version of MySQL running on the remote host is 8.0.x prior to 8.0.16. It is, therefore, affected by multiple vulnerabilities, including four of the top vulnerabilities below, as noted in the April 2019 and July 2019 Critical Patch Update advisories: - An unspecified vulnerability in the
    last seen2020-04-18
    modified2019-04-18
    plugin id124160
    published2019-04-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124160
    titleMySQL 8.0.x < 8.0.16 Multiple Vulnerabilities (Apr 2019 CPU) (Jul 2019 CPU)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-1553-1.NASL
    descriptionThis update for openssl fixes the following issues : CVE-2018-0732: Reject excessively large primes in DH key generation (bsc#1097158) CVE-2018-0734: Timing vulnerability in DSA signature generation (bsc#1113652) CVE-2018-0737: Cache timing vulnerability in RSA Key Generation (bsc#1089039) CVE-2018-5407: Elliptic curve scalar multiplication timing attack defenses (fixes
    last seen2020-06-01
    modified2020-06-02
    plugin id126046
    published2019-06-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126046
    titleSUSE SLES12 Security Update : openssl (SUSE-SU-2019:1553-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0600-1.NASL
    descriptionThis update for openssl-1_0_0 fixes the following issues : Security issues fixed : The 9 Lives of Bleichenbacher
    last seen2020-06-01
    modified2020-06-02
    plugin id122810
    published2019-03-13
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122810
    titleSUSE SLED15 / SLES15 Security Update : openssl-1_0_0 (SUSE-SU-2019:0600-1)
  • NASL familyMisc.
    NASL idORACLE_BI_PUBLISHER_OCT_2019_CPU.NASL
    descriptionThe version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.9.x prior to 11.1.1.9.191015 or 12.2.1.3.x prior to 12.2.1.3.191015 or 12.2.1.4.x prior to 12.2.1.4.191015. It is, therefore, affected by multiple vulnerabilities as noted in the October 2019 Critical Patch Update advisory: - An unspecified vulnerability in the Installation component of Oracle BI Publisher that allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. While the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. (CVE-2019-2905) - An unspecified vulnerability in the MobileService component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise BI Publisher. A successful attack requires human interaction from a person other than the attacker and while the vulnerability is in BI Publisher, attacks may significantly impact additional products. (CVE-2019-2906) - An unspecified vulnerability in the BI PublisherSecurity component of Oracle BI Publisher could allow a low privileged attacker with networkaccess via HTTP to compromise Oracle BI Publisher. A successful attack of this vulnerability canresult in unauthorized read access to a subset of BIPublisher accessible data (CVE-2019-2898) - An unspecified vulnerability in the Analytics Actions component of Oracle BI Publisher could allow a low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. While the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. (CVE-2019-2897) - An unspecified vulnerability in the Secure Store (OpenSSL) component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTPS to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher data. (CVE-2019-1559) - An unspecified vulnerability in the BI Platform Security (JQuery) component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. (CVE-2016-7103) - An unspecified vulnerability in the Analytics Actions component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. (CVE-2019-2900) - An unspecified vulnerability in the BI Platform Security component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle BI Publisher accessible data. (CVE-2019-3012) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-05-31
    modified2019-11-06
    plugin id130589
    published2019-11-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130589
    titleOracle Business Intelligence Publisher Multiple Vulnerabilities (Oct 2019 CPU)
  • NASL familyMisc.
    NASL idTENABLE_NESSUS_AGENT_TNS_2019_03.NASL
    descriptionThe version of Nessus Agent installed on the remote Windows host is prior to 7.4.0. It is, therefore, affected by one of the third-party components (OpenSSL) was found to contain a single vulnerability, and updated versions have been made available by the providers.
    last seen2020-06-01
    modified2020-06-02
    plugin id125882
    published2019-06-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125882
    titleTenable Nessus Agent < 7.4.0 Third Party Vulnerability (OpenSSL) (TNS-2019-03)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0818-1.NASL
    descriptionThis update for nodejs6 to version 6.17.0 fixes the following issues : Security issues fixed : CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127533). CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532). CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080). Release Notes: https://nodejs.org/en/blog/release/v6.17.0/ Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123551
    published2019-04-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123551
    titleSUSE SLES12 Security Update : nodejs6 (SUSE-SU-2019:0818-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2437.NASL
    descriptionAn update for redhat-virtualization-host is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts (RHVH) are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host
    last seen2020-06-01
    modified2020-06-02
    plugin id127986
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127986
    titleRHEL 7 : Virtualization Manager (RHSA-2019:2437)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2019-1362.NASL
    descriptionIf an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-06-01
    modified2020-06-02
    plugin id131030
    published2019-11-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131030
    titleAmazon Linux 2 : openssl (ALAS-2019-1362)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2471.NASL
    descriptionFrom Red Hat Security Advisory 2019:2471 : An update for openssl is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Security Fix(es) : * openssl: 0-byte record padding oracle (CVE-2019-1559) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127981
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127981
    titleOracle Linux 6 : openssl (ELSA-2019-2471)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201903-10.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201903-10 (OpenSSL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in OpenSSL. Please review the CVE identifiers referenced below for details. Impact : A remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. A local attacker could run a malicious process next to legitimate processes using the architecture&rsquo;s parallel thread running capabilities to leak encrypted data from the CPU&rsquo;s internal processes. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id122832
    published2019-03-14
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122832
    titleGLSA-201903-10 : OpenSSL: Multiple vulnerabilities
  • NASL familyWeb Servers
    NASL idOPENSSL_1_0_2R.NASL
    descriptionAccording to its banner, the version of OpenSSL running on the remote host is 1.0.x prior to 1.0.2r. It is, therefore, affected by an information disclosure vulnerability due to the decipherable way a application responds to a 0 byte record. An unauthenticated, remote attacker could exploit this vulnerability, via a padding oracle attack, to potentially disclose sensitive information. Note: Only
    last seen2020-06-01
    modified2020-06-02
    plugin id122504
    published2019-03-01
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122504
    titleOpenSSL 1.0.x < 1.0.2r Information Disclosure Vulnerability
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1400.NASL
    descriptionAccording to the versions of the openssl packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-06-01
    modified2020-06-02
    plugin id124903
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124903
    titleEulerOS Virtualization for ARM 64 3.0.1.0 : openssl (EulerOS-SA-2019-1400)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7700061F34F711E9B95CB499BAEBFEAF.NASL
    descriptionThe OpenSSL project reports : 0-byte record padding oracle (CVE-2019-1559) (Moderate) If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data.
    last seen2020-06-01
    modified2020-06-02
    plugin id122359
    published2019-02-21
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122359
    titleFreeBSD : OpenSSL -- Padding oracle vulnerability (7700061f-34f7-11e9-b95c-b499baebfeaf)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0206_OPENSSL.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssl packages installed that are affected by multiple vulnerabilities: - The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). (CVE-2018-0734) - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable non- stitched ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). (CVE-2019-1559) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id129941
    published2019-10-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129941
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : openssl Multiple Vulnerabilities (NS-SA-2019-0206)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0254_OPENSSL.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has openssl packages installed that are affected by multiple vulnerabilities: - The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). (CVE-2018-0734) - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable non- stitched ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). (CVE-2019-1559) - The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1). (CVE-2018-0735) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id132467
    published2019-12-31
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132467
    titleNewStart CGSL CORE 5.05 / MAIN 5.05 : openssl Multiple Vulnerabilities (NS-SA-2019-0254)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1326.NASL
    descriptionAccording to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-05-06
    modified2019-05-06
    plugin id124612
    published2019-05-06
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124612
    titleEulerOS 2.0 SP3 : openssl (EulerOS-SA-2019-1326)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-1362-1.NASL
    descriptionThis update for openssl fixes the following issues : Security issue fixed : CVE-2019-1559: Fixed a 0-byte record padding oracle via SSL_shutdown (bsc#1127080). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id125535
    published2019-05-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125535
    titleSUSE SLES12 Security Update : openssl (SUSE-SU-2019:1362-1)
  • NASL familyMisc.
    NASL idORACLE_BI_PUBLISHER_JAN_2020_CPU.NASL
    descriptionThe version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.9.x prior to 11.1.1.9.200114 or 12.2.1.3.x prior to 12.2.1.3.200114 or 12.2.1.4.x prior to 12.2.1.4.200114. It is, therefore, affected by multiple vulnerabilities as noted in the January 2020 Critical Patch Update advisory: - An unspecified vulnerability in the Analytics Server and Analytics Web General (OpenSSL)) component of Oracle BI Publisher. The vulnerability could allow an unauthenticated attacker with network access via HTTPS to compromise Oracle BI Publisher. A successful attack could result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. (CVE-2019-1559) - An unspecified vulnerability in the BI Platform Security) component of Oracle BI Publisher. The vulnerability could allow an unauthenticated attacker with network access via HTTPS to compromise Oracle BI Publisher. A successful attack would require human interaction from a person other than the attacker resulting in unauthorized read access to a subset of Oracle BI Publisher accessible data. (CVE-2020-2531) - An unspecified vulnerability in the Analytics Server) component of Oracle BI Publisher. An easy to exploit vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. A successful attack would require human interaction from a person other than the attacker resulting in unauthorized read access to a subset of Oracle BI Publisher accessible data.(CVE-2020-2535) - An unspecified vulnerability in the Analytics Actions) component of Oracle BI Publisher. An easy to exploit vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. A successful attack would require human interaction from a person other than the attacker resulting in unauthorized read access to a subset of Oracle BI Publisher accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Business Intelligence Enterprise Edition. (CVE-2020-2537) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-05-23
    modified2020-01-16
    plugin id132991
    published2020-01-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132991
    titleOracle Business Intelligence Publisher Multiple Vulnerabilities (Jan 2020 CPU)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-00C25B9379.NASL
    descriptionPatch for CVE-2018-0737, CVE-2018-0732, CVE-2018-0734, CVE-2019-1552, CVE-2019-1559. https://www.openssl.org/news/vulnerabilities.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id129319
    published2019-09-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129319
    titleFedora 30 : 1:compat-openssl10 (2019-00c25b9379)
  • NASL familyPalo Alto Local Security Checks
    NASL idPALO_ALTO_PAN-SA-2019-0039.NASL
    descriptionIf an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable
    last seen2020-03-18
    modified2020-03-06
    plugin id134305
    published2020-03-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134305
    titlePalo Alto Networks PAN-OS 7.1 < 7.1.25 / 8.0 < 8.0.20 / 8.1 < 8.1.8 / 9.0 < 9.0.2 OpenSSL Vulnerability
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1432.NASL
    descriptionThis update for openssl-1_0_0 fixes the following issues : Security issues fixed : - The 9 Lives of Bleichenbacher
    last seen2020-06-01
    modified2020-06-02
    plugin id125331
    published2019-05-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125331
    titleopenSUSE Security Update : openssl-1_0_0 (openSUSE-2019-1432)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0572-1.NASL
    descriptionThis update for openssl-1_0_0 fixes the following issues : Security issues fixed : The 9 Lives of Bleichenbacher
    last seen2020-06-01
    modified2020-06-02
    plugin id122747
    published2019-03-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122747
    titleSUSE SLED12 / SLES12 Security Update : openssl-1_0_0 (SUSE-SU-2019:0572-1)

Redhat

advisories
  • bugzilla
    id1683804
    titleCVE-2019-1559 openssl: 0-byte record padding oracle
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentopenssl-libs is earlier than 1:1.0.2k-19.el7
            ovaloval:com.redhat.rhsa:tst:20192304001
          • commentopenssl-libs is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929010
        • AND
          • commentopenssl is earlier than 1:1.0.2k-19.el7
            ovaloval:com.redhat.rhsa:tst:20192304003
          • commentopenssl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929008
        • AND
          • commentopenssl-devel is earlier than 1:1.0.2k-19.el7
            ovaloval:com.redhat.rhsa:tst:20192304005
          • commentopenssl-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929002
        • AND
          • commentopenssl-static is earlier than 1:1.0.2k-19.el7
            ovaloval:com.redhat.rhsa:tst:20192304007
          • commentopenssl-static is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929006
        • AND
          • commentopenssl-perl is earlier than 1:1.0.2k-19.el7
            ovaloval:com.redhat.rhsa:tst:20192304009
          • commentopenssl-perl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929004
    rhsa
    idRHSA-2019:2304
    released2019-08-06
    severityModerate
    titleRHSA-2019:2304: openssl security and bug fix update (Moderate)
  • bugzilla
    id1683804
    titleCVE-2019-1559 openssl: 0-byte record padding oracle
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentopenssl-static is earlier than 0:1.0.1e-58.el6_10
            ovaloval:com.redhat.rhsa:tst:20192471001
          • commentopenssl-static is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929006
        • AND
          • commentopenssl-perl is earlier than 0:1.0.1e-58.el6_10
            ovaloval:com.redhat.rhsa:tst:20192471003
          • commentopenssl-perl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929004
        • AND
          • commentopenssl-devel is earlier than 0:1.0.1e-58.el6_10
            ovaloval:com.redhat.rhsa:tst:20192471005
          • commentopenssl-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929002
        • AND
          • commentopenssl is earlier than 0:1.0.1e-58.el6_10
            ovaloval:com.redhat.rhsa:tst:20192471007
          • commentopenssl is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20171929008
    rhsa
    idRHSA-2019:2471
    released2019-08-13
    severityModerate
    titleRHSA-2019:2471: openssl security update (Moderate)
  • rhsa
    idRHSA-2019:2437
  • rhsa
    idRHSA-2019:2439
  • rhsa
    idRHSA-2019:3929
  • rhsa
    idRHSA-2019:3931
rpms
  • openssl-1:1.0.2k-19.el7
  • openssl-debuginfo-1:1.0.2k-19.el7
  • openssl-devel-1:1.0.2k-19.el7
  • openssl-libs-1:1.0.2k-19.el7
  • openssl-perl-1:1.0.2k-19.el7
  • openssl-static-1:1.0.2k-19.el7
  • imgbased-0:1.1.9-0.1.el7ev
  • ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev
  • python-imgbased-0:1.1.9-0.1.el7ev
  • python2-ovirt-node-ng-nodectl-0:4.3.5-0.20190717.0.el7ev
  • redhat-release-virtualization-host-0:4.3.5-2.el7ev
  • redhat-virtualization-host-image-update-0:4.3.5-20190722.0.el7_7
  • redhat-virtualization-host-image-update-placeholder-0:4.3.5-2.el7ev
  • rhvm-appliance-2:4.3-20190722.0.el7
  • openssl-0:1.0.1e-58.el6_10
  • openssl-debuginfo-0:1.0.1e-58.el6_10
  • openssl-devel-0:1.0.1e-58.el6_10
  • openssl-perl-0:1.0.1e-58.el6_10
  • openssl-static-0:1.0.1e-58.el6_10
  • jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws
  • jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws
  • jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws
  • jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws
  • jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws
  • jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws
  • jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws
  • jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws
  • jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws
  • jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws
  • jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws
  • jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws
  • jws5-mod_cluster-tomcat-0:1.4.1-1.Final_redhat_00001.2.el6jws
  • jws5-mod_cluster-tomcat-0:1.4.1-1.Final_redhat_00001.2.el7jws
  • jws5-mod_cluster-tomcat-0:1.4.1-1.Final_redhat_00001.2.el8jws
  • jws5-python-javapackages-0:3.4.1-5.15.11.el6jws
  • jws5-python-javapackages-0:3.4.1-5.15.11.el7jws
  • jws5-python-javapackages-0:3.4.1-5.15.11.el8jws
  • jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-admin-webapps-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-admin-webapps-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-admin-webapps-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-docs-webapp-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-docs-webapp-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-docs-webapp-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-el-3.0-api-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-el-3.0-api-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-el-3.0-api-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-javadoc-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-javadoc-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-javadoc-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-lib-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-lib-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-lib-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws
  • jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws
  • jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws
  • jws5-tomcat-native-debuginfo-0:1.2.21-34.redhat_34.el6jws
  • jws5-tomcat-native-debuginfo-0:1.2.21-34.redhat_34.el7jws
  • jws5-tomcat-native-debuginfo-0:1.2.21-34.redhat_34.el8jws
  • jws5-tomcat-selinux-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-selinux-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-selinux-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.21-10.redhat_4.1.el8jws
  • jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws
  • jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws
  • jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws
  • jws5-tomcat-vault-javadoc-0:1.1.8-1.Final_redhat_1.1.el6jws
  • jws5-tomcat-vault-javadoc-0:1.1.8-1.Final_redhat_1.1.el7jws
  • jws5-tomcat-vault-javadoc-0:1.1.8-1.Final_redhat_1.1.el8jws
  • jws5-tomcat-webapps-0:9.0.21-10.redhat_4.1.el6jws
  • jws5-tomcat-webapps-0:9.0.21-10.redhat_4.1.el7jws
  • jws5-tomcat-webapps-0:9.0.21-10.redhat_4.1.el8jws

References