CVE-2019-1563

Priority
Description
In situations where an attacker receives automated notification of the
success or failure of a decryption attempt an attacker, after sending a
very large number of messages to be decrypted, can recover a CMS/PKCS7
transported encryption key or decrypt any RSA encrypted message that was
encrypted with the public RSA key, using a Bleichenbacher padding oracle
attack. Applications are not affected if they use a certificate together
with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to
select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d
(Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k).
Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Notes
Package
Source: edk2 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 20.04 LTS (Focal Fossa):not-affected (0~20191122.bd85bf54-2)
Ubuntu 20.10 (Groovy Gorilla):not-affected (0~20191122.bd85bf54-2)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (uses system openssl)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system openssl)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system openssl1.0)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (uses system openssl1.1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (uses system openssl1.1)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (1.0.2n-1ubuntu5.4)
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
More Information

Updated: 2020-09-16 16:18:12 UTC (commit a9ac64a2c346d27d41499fd23c2a3fe6c186d994)