CVE-2019-1563

Priority
Description
In situations where an attacker receives automated notification of the
success or failure of a decryption attempt an attacker, after sending a
very large number of messages to be decrypted, can recover a CMS/PKCS7
transported encryption key or decrypt any RSA encrypted message that was
encrypted with the public RSA key, using a Bleichenbacher padding oracle
attack. Applications are not affected if they use a certificate together
with the private RSA key to the CMS_decrypt or PKCS7_decrypt functions to
select the correct recipient info to decrypt. Fixed in OpenSSL 1.1.1d
(Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k).
Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Package
Source: edk2 (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (uses system openssl)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (uses system openssl)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (uses system openssl1.0)
Ubuntu 19.04 (Disco Dingo):not-affected (uses system openssl1.1)
Ubuntu 19.10 (Eoan):not-affected (uses system openssl1.1)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
More Information

Updated: 2019-09-19 14:52:03 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)