First published: Tue Feb 26 2019(Updated: )
A vulnerability was found in OpenSSL 1.0.2. When an application encounters a fatal protocol error and then calls SSL_shutdown() twice, OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. This difference in behaviour can be detected by a remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). AEAD ciphersuites are not impacted. This issue does not impact OpenSSL 1.1.1 or 1.1.0. Upstream bug: <a href="https://www.openssl.org/news/secadv/20190226.txt">https://www.openssl.org/news/secadv/20190226.txt</a> Upstream Patch: <a href="https://github.com/openssl/openssl/commit/e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e">https://github.com/openssl/openssl/commit/e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e</a>
Credit: openssl-security@openssl.org openssl-security@openssl.org openssl-security@openssl.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/openssl | <0:1.0.1e-58.el6_10 | 0:1.0.1e-58.el6_10 |
redhat/openssl | <1:1.0.2k-19.el7 | 1:1.0.2k-19.el7 |
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el6 | 0:4.12.0-1.redhat_1.1.el6 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el6 | 0:3.4.1-5.15.11.el6 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el6 | 0:3.3.2-1.Final_redhat_00001.1.el6 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el6 | 0:9.0.21-10.redhat_4.1.el6 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el6 | 0:1.2.21-34.redhat_34.el6 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el6 | 0:1.1.8-1.Final_redhat_1.1.el6 |
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el7 | 0:4.12.0-1.redhat_1.1.el7 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el7 | 0:3.4.1-5.15.11.el7 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el7 | 0:3.3.2-1.Final_redhat_00001.1.el7 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el7 | 0:9.0.21-10.redhat_4.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el7 | 0:1.2.21-34.redhat_34.el7 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el7 | 0:1.1.8-1.Final_redhat_1.1.el7 |
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el8 | 0:4.12.0-1.redhat_1.1.el8 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el8 | 0:3.4.1-5.15.11.el8 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el8 | 0:3.3.2-1.Final_redhat_00001.1.el8 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el8 | 0:9.0.21-10.redhat_4.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el8 | 0:1.2.21-34.redhat_34.el8 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el8 | 0:1.1.8-1.Final_redhat_1.1.el8 |
redhat/imgbased | <0:1.1.9-0.1.el7e | 0:1.1.9-0.1.el7e |
redhat/ovirt-node-ng | <0:4.3.5-0.20190717.0.el7e | 0:4.3.5-0.20190717.0.el7e |
redhat/redhat-release-virtualization-host | <0:4.3.5-2.el7e | 0:4.3.5-2.el7e |
redhat/redhat-virtualization-host | <0:4.3.5-20190722.0.el7_7 | 0:4.3.5-20190722.0.el7_7 |
redhat/rhvm-appliance | <0:4.3-20190722.0.el7 | 0:4.3-20190722.0.el7 |
redhat/openssl | <1.0.2 | 1.0.2 |
OpenSSL OpenSSL | >=1.0.2<1.0.2r | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Netapp Active Iq Unified Manager Windows | >=7.3 | |
Netapp Active Iq Unified Manager Vmware Vsphere | >=9.5 | |
Netapp Active Iq Unified Manager Windows | ||
NetApp AltaVault | ||
Netapp Cloud Backup | ||
Netapp Clustered Data Ontap Antivirus Connector | ||
Netapp Element Software | ||
Netapp Hci Management Node | ||
Netapp Hyper Converged Infrastructure | ||
NetApp OnCommand Insight | ||
Netapp Oncommand Unified Manager | ||
Netapp Oncommand Unified Manager Vsphere | ||
NetApp OnCommand Unified Manager Core Package | ||
NetApp OnCommand Workflow Automation | ||
Netapp Ontap Select Deploy | ||
NetApp ONTAP Select Deploy administration utility | ||
Netapp Santricity Smi-s Provider | ||
NetApp Service Processor | ||
Netapp Smi-s Provider | ||
Netapp Snapcenter | ||
Netapp Snapdrive Unix | ||
Netapp Snapdrive Windows | ||
Netapp Snapprotect | ||
Netapp Solidfire | ||
Netapp Steelstore Cloud Integrated Storage | ||
Netapp Storage Automation Store | ||
Netapp Storagegrid | >=9.0.0<=9.0.4 | |
Netapp Storagegrid | ||
Netapp Hci Compute Node | ||
F5 BIG-IP Access Policy Manager | >=12.1.0<=12.1.5 | |
F5 BIG-IP Access Policy Manager | >=13.0.0<=13.1.3 | |
F5 BIG-IP Access Policy Manager | >=14.0.0<=14.1.2 | |
F5 BIG-IP Access Policy Manager | >=15.0.0<=15.1.0 | |
F5 BIG-IP Advanced Firewall Manager | >=12.1.0<=12.1.5 | |
F5 BIG-IP Advanced Firewall Manager | >=13.0.0<=13.1.3 | |
F5 BIG-IP Advanced Firewall Manager | >=14.0.0<=14.1.2 | |
F5 BIG-IP Advanced Firewall Manager | >=15.0.0<=15.1.0 | |
F5 BIG-IP Analytics | >=12.1.0<=12.1.5 | |
F5 BIG-IP Analytics | >=13.0.0<=13.1.3 | |
F5 BIG-IP Analytics | >=14.0.0<=14.1.2 | |
F5 BIG-IP Analytics | >=15.0.0<=15.1.0 | |
F5 Big-ip Application Acceleration Manager | >=12.1.0<=12.1.5 | |
F5 Big-ip Application Acceleration Manager | >=13.0.0<=13.1.3 | |
F5 Big-ip Application Acceleration Manager | >=14.0.0<=14.1.2 | |
F5 Big-ip Application Acceleration Manager | >=15.0.0<=15.1.0 | |
F5 BIG-IP Application Security Manager | >=12.1.0<=12.1.5 | |
F5 BIG-IP Application Security Manager | >=13.0.0<=13.1.3 | |
F5 BIG-IP Application Security Manager | >=14.0.0<=14.1.2 | |
F5 BIG-IP Application Security Manager | >=15.0.0<=15.1.0 | |
F5 Big-ip Domain Name System | >=12.1.0<=12.1.5 | |
F5 Big-ip Domain Name System | >=13.0.0<=13.1.3 | |
F5 Big-ip Domain Name System | >=14.0.0<=14.1.2 | |
F5 Big-ip Domain Name System | >=15.0.0<=15.1.0 | |
F5 Big-ip Edge Gateway | >=12.1.0<=12.1.5 | |
F5 Big-ip Edge Gateway | >=13.0.0<=13.1.3 | |
F5 Big-ip Edge Gateway | >=14.0.0<=14.1.2 | |
F5 Big-ip Edge Gateway | >=15.0.0<=15.1.0 | |
F5 Big-ip Fraud Protection Service | >=12.1.0<=12.1.5 | |
F5 Big-ip Fraud Protection Service | >=13.0.0<=13.1.3 | |
F5 Big-ip Fraud Protection Service | >=14.0.0<=14.1.2 | |
F5 Big-ip Fraud Protection Service | >=15.0.0<=15.1.0 | |
F5 Big-ip Global Traffic Manager | >=12.1.0<=12.1.5 | |
F5 Big-ip Global Traffic Manager | >=13.0.0<=13.1.3 | |
F5 Big-ip Global Traffic Manager | >=14.0.0<=14.1.2 | |
F5 Big-ip Global Traffic Manager | >=15.0.0<=15.1.0 | |
F5 Big-ip Link Controller | >=12.1.0<=12.1.5 | |
F5 Big-ip Link Controller | >=13.0.0<=13.1.3 | |
F5 Big-ip Link Controller | >=14.0.0<=14.1.2 | |
F5 Big-ip Link Controller | >=15.0.0<=15.1.0 | |
F5 Big-ip Local Traffic Manager | >=12.1.0<=12.1.5 | |
F5 Big-ip Local Traffic Manager | >=13.0.0<=13.1.3 | |
F5 Big-ip Local Traffic Manager | >=14.0.0<=14.1.2 | |
F5 Big-ip Local Traffic Manager | >=15.0.0<=15.1.0 | |
F5 Big-ip Policy Enforcement Manager | >=12.1.0<=12.1.5 | |
F5 Big-ip Policy Enforcement Manager | >=13.0.0<=13.1.3 | |
F5 Big-ip Policy Enforcement Manager | >=14.0.0<=14.1.2 | |
F5 Big-ip Policy Enforcement Manager | >=15.0.0<=15.1.0 | |
F5 Big-ip Webaccelerator | >=12.1.0<=12.1.5 | |
F5 Big-ip Webaccelerator | >=13.0.0<=13.1.3 | |
F5 Big-ip Webaccelerator | >=14.0.0<=14.1.2 | |
F5 Big-ip Webaccelerator | >=15.0.0<=15.1.0 | |
F5 BIG-IQ Centralized Management | >=6.0.0<=6.1.0 | |
F5 BIG-IQ Centralized Management | >=7.0.0<=7.1.0 | |
F5 Traffix Signaling Delivery Controller | >=5.0.0<=5.1.0 | |
F5 Traffix Signaling Delivery Controller | =4.4.0 | |
Tenable Nessus | <=8.2.3 | |
openSUSE Leap | =15.0 | |
openSUSE Leap | =15.1 | |
openSUSE Leap | =42.3 | |
All of | ||
Netapp Cn1610 Firmware | ||
Netapp Cn1610 | ||
All of | ||
Netapp A320 Firmware | ||
Netapp A320 | ||
All of | ||
Netapp C190 Firmware | ||
Netapp C190 | ||
All of | ||
Netapp A220 Firmware | ||
Netapp A220 | ||
All of | ||
Netapp Fas2720 Firmware | ||
Netapp Fas2720 | ||
All of | ||
Netapp Fas2750 Firmware | ||
Netapp Fas2750 | ||
All of | ||
Netapp A800 Firmware | ||
Netapp A800 | ||
Fedoraproject Fedora | =29 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =31 | |
Mcafee Agent | >=5.6.0<=5.6.4 | |
McAfee Data eXchange Layer | >=4.0.0<6.0.0 | |
McAfee Threat Intelligence Exchange Server | >=2.0.0<3.0.0 | |
McAfee Web Gateway | >=7.0.0<9.0.0 | |
All of | ||
Redhat Jboss Enterprise Web Server | =5.0.0 | |
Any of | ||
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
All of | ||
Any of | ||
Redhat Virtualization | =4.0 | |
Redhat Virtualization Host | =4.0 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux Desktop | =6.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =6.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Workstation | =6.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Oracle API Gateway | =11.1.2.4.0 | |
Oracle Business Intelligence | =11.1.1.9.0 | |
Oracle Business Intelligence | =12.2.1.3.0 | |
Oracle Business Intelligence | =12.2.1.4.0 | |
Oracle Communications Diameter Signaling Router | =8.0.0 | |
Oracle Communications Diameter Signaling Router | =8.1 | |
Oracle Communications Diameter Signaling Router | =8.2 | |
Oracle Communications Diameter Signaling Router | =8.3 | |
Oracle Communications Diameter Signaling Router | =8.4 | |
Oracle Communications Performance Intelligence Center | =10.4.0.2 | |
Oracle Communications Session Border Controller | =7.4 | |
Oracle Communications Session Border Controller | =8.0.0 | |
Oracle Communications Session Border Controller | =8.1.0 | |
Oracle Communications Session Border Controller | =8.2 | |
Oracle Communications Session Border Controller | =8.3 | |
Oracle Communications Session Router | =7.4 | |
Oracle Communications Session Router | =8.0 | |
Oracle Communications Session Router | =8.1 | |
Oracle Communications Session Router | =8.2 | |
Oracle Communications Session Router | =8.3 | |
Oracle Communications Unified Session Manager | =7.3.5 | |
Oracle Communications Unified Session Manager | =8.2.5 | |
Oracle Endeca Server | =7.7.0 | |
Oracle Enterprise Manager Base Platform | =12.1.0.5.0 | |
Oracle Enterprise Manager Base Platform | =13.2.0.0.0 | |
Oracle Enterprise Manager Base Platform | =13.3.0.0.0 | |
Oracle Enterprise Manager Ops Center | =12.3.3 | |
Oracle Enterprise Manager Ops Center | =12.4.0 | |
Oracle Jd Edwards Enterpriseone Tools | =9.2 | |
Oracle Jd Edwards World Security | =a9.3 | |
Oracle Jd Edwards World Security | =a9.3.1 | |
Oracle Jd Edwards World Security | =a9.4 | |
Oracle MySQL | >=5.6.0<=5.6.43 | |
Oracle MySQL | >=5.7.0<=5.7.25 | |
Oracle MySQL | >=8.0.0<=8.0.15 | |
Oracle Mysql Enterprise Monitor | <=4.0.8 | |
Oracle Mysql Enterprise Monitor | >=8.0.0<=8.0.14 | |
Oracle Mysql Workbench | <=8.0.16 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.55 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.56 | |
Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
Oracle Secure Global Desktop | =5.4 | |
Oracle Services Tools Bundle | =19.2 | |
Paloaltonetworks Pan-os | >=7.1.0<7.1.15 | |
Paloaltonetworks Pan-os | >=8.0.0<8.0.20 | |
Paloaltonetworks Pan-os | >=8.1.0<8.1.8 | |
Paloaltonetworks Pan-os | >=9.0.0<9.0.2 | |
Nodejs Node.js | >=6.0.0<=6.8.1 | |
Nodejs Node.js | >=6.9.0<6.17.0 | |
Nodejs Node.js | >=8.0.0<=8.8.1 | |
Nodejs Node.js | >=8.9.0<8.15.1 | |
Netapp Cn1610 Firmware | ||
Netapp Cn1610 | ||
Netapp A320 Firmware | ||
Netapp A320 | ||
Netapp C190 Firmware | ||
Netapp C190 | ||
Netapp A220 Firmware | ||
Netapp A220 | ||
Netapp Fas2720 Firmware | ||
Netapp Fas2720 | ||
Netapp Fas2750 Firmware | ||
Netapp Fas2750 | ||
Netapp A800 Firmware | ||
Netapp A800 | ||
Redhat Jboss Enterprise Web Server | =5.0.0 | |
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Virtualization | =4.0 | |
Redhat Virtualization Host | =4.0 | |
IBM Security Verify Governance | <=10.0 | |
debian/openssl | 1.1.1w-0+deb11u1 1.1.1w-0+deb11u2 3.0.15-1~deb12u1 3.0.14-1~deb12u2 3.3.2-2 | |
>=1.0.2<1.0.2r | ||
=16.04 | ||
=18.04 | ||
=18.10 | ||
=8.0 | ||
=9.0 | ||
>=7.3 | ||
>=9.5 | ||
>=9.0.0<=9.0.4 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=12.1.0<=12.1.5 | ||
>=13.0.0<=13.1.3 | ||
>=14.0.0<=14.1.2 | ||
>=15.0.0<=15.1.0 | ||
>=6.0.0<=6.1.0 | ||
>=7.0.0<=7.1.0 | ||
>=5.0.0<=5.1.0 | ||
=4.4.0 | ||
<=8.2.3 | ||
=15.0 | ||
=15.1 | ||
=42.3 | ||
All of | ||
All of | ||
All of | ||
All of | ||
All of | ||
All of | ||
All of | ||
=29 | ||
=30 | ||
=31 | ||
>=5.6.0<=5.6.4 | ||
>=4.0.0<6.0.0 | ||
>=2.0.0<3.0.0 | ||
>=7.0.0<9.0.0 | ||
All of | ||
=5.0.0 | ||
Any of | ||
=6.0 | ||
=7.0 | ||
=8.0 | ||
All of | ||
Any of | ||
=4.0 | ||
=4.0 | ||
=7.0 | ||
=6.0 | ||
=7.0 | ||
=6.0 | ||
=7.0 | ||
=6.0 | ||
=7.0 | ||
=11.1.2.4.0 | ||
=11.1.1.9.0 | ||
=12.2.1.3.0 | ||
=12.2.1.4.0 | ||
=8.0.0 | ||
=8.1 | ||
=8.2 | ||
=8.3 | ||
=8.4 | ||
=10.4.0.2 | ||
=7.4 | ||
=8.0.0 | ||
=8.1.0 | ||
=8.2 | ||
=8.3 | ||
=7.4 | ||
=8.0 | ||
=8.1 | ||
=8.2 | ||
=8.3 | ||
=7.3.5 | ||
=8.2.5 | ||
=7.7.0 | ||
=12.1.0.5.0 | ||
=13.2.0.0.0 | ||
=13.3.0.0.0 | ||
=12.3.3 | ||
=12.4.0 | ||
=9.2 | ||
=a9.3 | ||
=a9.3.1 | ||
=a9.4 | ||
>=5.6.0<=5.6.43 | ||
>=5.7.0<=5.7.25 | ||
>=8.0.0<=8.0.15 | ||
<=4.0.8 | ||
>=8.0.0<=8.0.14 | ||
<=8.0.16 | ||
=8.55 | ||
=8.56 | ||
=8.57 | ||
=5.4 | ||
=19.2 | ||
>=7.1.0<7.1.15 | ||
>=8.0.0<8.0.20 | ||
>=8.1.0<8.1.8 | ||
>=9.0.0<9.0.2 | ||
>=6.0.0<=6.8.1 | ||
>=6.9.0<6.17.0 | ||
>=8.0.0<=8.8.1 | ||
>=8.9.0<8.15.1 |
As a workaround you can disable SHA384 if applications (compiled with OpenSSL) allow for adjustment of the ciphersuite string configuration.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)