Описание
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | not-affected | uses system openssl1.0 |
| cosmic | not-affected | uses system openssl1.0 |
| devel | not-affected | uses system openssl1.1 |
| disco | not-affected | uses system openssl1.1 |
| eoan | not-affected | uses system openssl1.1 |
| esm-apps/bionic | not-affected | uses system openssl1.0 |
| esm-apps/focal | not-affected | uses system openssl1.1 |
| esm-apps/xenial | not-affected | uses system openssl |
| esm-infra-legacy/trusty | not-affected | uses system openssl |
| focal | not-affected | uses system openssl1.1 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | not-affected | 1.1.0g-2ubuntu4.3 |
| cosmic | not-affected | 1.1.1-1ubuntu2.1 |
| devel | not-affected | 1.1.1a-1ubuntu2 |
| disco | not-affected | 1.1.1a-1ubuntu2 |
| eoan | not-affected | 1.1.1a-1ubuntu2 |
| esm-infra-legacy/trusty | not-affected | 1.0.1f-1ubuntu2.27+esm1 |
| esm-infra/bionic | not-affected | 1.1.0g-2ubuntu4.3 |
| esm-infra/focal | not-affected | 1.1.1a-1ubuntu2 |
| esm-infra/xenial | not-affected | 1.0.2g-1ubuntu4.15 |
| focal | not-affected | 1.1.1a-1ubuntu2 |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | DNE | |
| cosmic | DNE | |
| devel | DNE | |
| disco | DNE | |
| eoan | DNE | |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was needs-triage] |
| esm-infra/focal | DNE | |
| focal | DNE | |
| precise/esm | DNE | |
| trusty | ignored | end of standard support |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| bionic | released | 1.0.2n-1ubuntu5.3 |
| cosmic | released | 1.0.2n-1ubuntu6.2 |
| devel | DNE | |
| disco | DNE | |
| eoan | DNE | |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/bionic | not-affected | 1.0.2n-1ubuntu5.3 |
| esm-infra/focal | DNE | |
| focal | DNE | |
| precise/esm | DNE |
Показывать по
EPSS
4.3 Medium
CVSS2
5.9 Medium
CVSS3
Связанные уязвимости
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
If an application encounters a fatal protocol error and then calls SSL ...
EPSS
4.3 Medium
CVSS2
5.9 Medium
CVSS3