NVD Vulnerability Detail

CVE-2019-1559

Summary	If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
Publication Date	Feb. 28, 2019, 8:29 a.m.
Registration Date	Jan. 26, 2021, 10:40 a.m.
Last Update	Nov. 21, 2024, 1:36 p.m.

CVSS3.1 : MEDIUM
スコア	5.9
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:openssl:openssl::::::::		1.0.2			1.0.2r

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:netapp:hyper_converged_infrastructure:-:::::::*
cpe:2.3:a:netapp:cloud_backup:-:::::::*
cpe:2.3:a:netapp:santricity_smi-s_provider:-:::::::*
cpe:2.3:a:netapp:element_software:-:::::::*
cpe:2.3:a:netapp:snapdrive:-:::::unix::
cpe:2.3:a:netapp:snapcenter:-:::::::*
cpe:2.3:a:netapp:storage_automation_store:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy:-:::::::*
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*
cpe:2.3:a:netapp:oncommand_unified_manager:-:::::::*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:storagegrid:-:::::::*
cpe:2.3:a:netapp:storagegrid::::::::	9.0.0	9.0.4
cpe:2.3:a:netapp:oncommand_insight:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:oncommand_unified_manager:-:::::vsphere::
cpe:2.3:a:netapp:service_processor:-:::::::*
cpe:2.3:a:netapp:smi-s_provider:-:::::::*
cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:::::::*
cpe:2.3:a:netapp:snapdrive:-:::::windows::
cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*	7.3
cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*	9.5
cpe:2.3:a:netapp:solidfire:-:::::::*
cpe:2.3:a:netapp:hci_management_node:-:::::::*
cpe:2.3:a:netapp:snapprotect:-:::::::*
cpe:2.3:h:netapp:hci_compute_node:-:::::::*
cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
cpe:2.3:a:netapp:altavault:-:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:f5:traffix_signaling_delivery_controller::::::::	5.0.0	5.1.0
cpe:2.3:a:f5:traffix_signaling_delivery_controller:4.4.0:::::::*
cpe:2.3:a:f5:big-iq_centralized_management::::::::	6.0.0	6.1.0
cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_analytics::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_analytics::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_analytics::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_access_policy_manager::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_access_policy_manager::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_access_policy_manager::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_application_security_manager::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_application_security_manager::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_application_security_manager::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_edge_gateway::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_edge_gateway::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_edge_gateway::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_link_controller::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_link_controller::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_link_controller::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_webaccelerator::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_webaccelerator::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_webaccelerator::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_domain_name_system::::::::	12.1.0	12.1.5
cpe:2.3:a:f5:big-ip_domain_name_system::::::::	13.0.0	13.1.3
cpe:2.3:a:f5:big-ip_domain_name_system::::::::	14.0.0	14.1.2
cpe:2.3:a:f5:big-ip_access_policy_manager::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_advanced_firewall_manager::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_analytics::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_application_acceleration_manager::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_application_security_manager::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_domain_name_system::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_edge_gateway::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_fraud_protection_service::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_global_traffic_manager::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_link_controller::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_local_traffic_manager::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_policy_enforcement_manager::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-ip_webaccelerator::::::::	15.0.0	15.1.0
cpe:2.3:a:f5:big-iq_centralized_management::::::::	7.0.0	7.1.0

Configuration6		or higher	or less	more than	less than
cpe:2.3:a:tenable:nessus::::::::			8.2.3

Configuration7	or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:42.3:::::::*
cpe:2.3:o:opensuse:leap:15.0:::::::*
cpe:2.3:o:opensuse:leap:15.1:::::::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:o:netapp:cn1610_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:cn1610:-:::::::*

Configuration9		or higher	or less	more than	less than
cpe:2.3:o:netapp:a320_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:a320:-:::::::*

Configuration10		or higher	or less	more than	less than
cpe:2.3:o:netapp:c190_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:c190:-:::::::*

Configuration11		or higher	or less	more than	less than
cpe:2.3:o:netapp:a220_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:a220:-:::::::*

Configuration12		or higher	or less	more than	less than
cpe:2.3:o:netapp:fas2720_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:fas2720:-:::::::*

Configuration13		or higher	or less	more than	less than
cpe:2.3:o:netapp:fas2750_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:fas2750:-:::::::*

Configuration14		or higher	or less	more than	less than
cpe:2.3:o:netapp:a800_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:a800:-:::::::*

Configuration15	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:29:::::::*
cpe:2.3:o:fedoraproject:fedora:30:::::::*
cpe:2.3:o:fedoraproject:fedora:31:::::::*

Configuration16	or higher	or less	more than	less than
cpe:2.3:a:mcafee:data_exchange_layer::::::::	4.0.0			6.0.0
cpe:2.3:a:mcafee:agent::::::::	5.6.0	5.6.4
cpe:2.3:a:mcafee:threat_intelligence_exchange_server::::::::	2.0.0			3.0.0
cpe:2.3:a:mcafee:web_gateway::::::::	7.0.0			9.0.0

Configuration17		or higher	or less	more than	less than
cpe:2.3:a:redhat:jboss_enterprise_web_server:5.0.0:::::::*
execution environment
1	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
2	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
3	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*

Configuration18		or higher	or less	more than	less than
cpe:2.3:a:redhat:virtualization:4.0:::::::*
cpe:2.3:a:redhat:virtualization_host:4.0:::::::*
execution environment
1	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*

Configuration19	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*

Configuration20	or higher	or less	more than	less than
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*
cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:::::::*
cpe:2.3:a:oracle:business_intelligence:11.1.1.9.0::::enterprise:::
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:::::::*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:::::::*
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0::::enterprise:::
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*
cpe:2.3:a:oracle:mysql::::::::	5.7.0	5.7.25
cpe:2.3:a:oracle:mysql::::::::	8.0.0	8.0.15
cpe:2.3:a:oracle:secure_global_desktop:5.4:::::::*
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0::::enterprise:::
cpe:2.3:a:oracle:communications_session_border_controller:8.0.0:::::::*
cpe:2.3:a:oracle:communications_session_border_controller:8.1.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:::::::*
cpe:2.3:a:oracle:jd_edwards_world_security:a9.3:::::::*
cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:::::::*
cpe:2.3:a:oracle:mysql::::::::	5.6.0	5.6.43
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4:::::::*
cpe:2.3:a:oracle:communications_performance_intelligence_center:10.4.0.2:::::::*
cpe:2.3:a:oracle:communications_session_border_controller:7.4:::::::*
cpe:2.3:a:oracle:communications_session_border_controller:8.2:::::::*
cpe:2.3:a:oracle:communications_session_border_controller:8.3:::::::*
cpe:2.3:a:oracle:communications_session_router:7.4:::::::*
cpe:2.3:a:oracle:communications_session_router:8.0:::::::*
cpe:2.3:a:oracle:communications_session_router:8.1:::::::*
cpe:2.3:a:oracle:communications_session_router:8.2:::::::*
cpe:2.3:a:oracle:communications_session_router:8.3:::::::*
cpe:2.3:a:oracle:communications_unified_session_manager:7.3.5:::::::*
cpe:2.3:a:oracle:endeca_server:7.7.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:::::::*
cpe:2.3:a:oracle:jd_edwards_world_security:a9.3.1:::::::*
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::		4.0.8
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::	8.0.0	8.0.14
cpe:2.3:a:oracle:mysql_workbench::::::::		8.0.16
cpe:2.3:a:oracle:services_tools_bundle:19.2:::::::*
cpe:2.3:a:oracle:communications_unified_session_manager:8.2.5:::::::*

Configuration21	or higher	or less	more than	less than
cpe:2.3:o:paloaltonetworks:pan-os::::::::	8.0.0			8.0.20
cpe:2.3:o:paloaltonetworks:pan-os::::::::	8.1.0			8.1.8
cpe:2.3:o:paloaltonetworks:pan-os::::::::	9.0.0			9.0.2
cpe:2.3:o:paloaltonetworks:pan-os::::::::	7.1.0			7.1.15

Configuration22	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:::::-:::*	6.0.0	6.8.1
cpe:2.3:a:nodejs:node.js:::::-:::*	8.0.0	8.8.1
cpe:2.3:a:nodejs:node.js:::::lts:::*	6.9.0			6.17.0
cpe:2.3:a:nodejs:node.js:::::lts:::*	8.9.0			8.15.1

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html	Mailing List Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html	Mailing List Third Party Advisory
3	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html	Mailing List Third Party Advisory
4	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html	Mailing List Third Party Advisory
5	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html	Mailing List Third Party Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html	Mailing List Third Party Advisory
7	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html	Mailing List Third Party Advisory
8	http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html	Mailing List Third Party Advisory
9	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html	Mailing List Third Party Advisory
10	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html	Mailing List Third Party Advisory
11	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html	Mailing List Third Party Advisory
12	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html	Mailing List Third Party Advisory
13	http://www.securityfocus.com/bid/107174	Third Party Advisory VDB Entry
14	http://www.securityfocus.com/bid/107174	Third Party Advisory VDB Entry
15	https://access.redhat.com/errata/RHSA-2019:2304	Third Party Advisory
16	https://access.redhat.com/errata/RHSA-2019:2304	Third Party Advisory
17	https://access.redhat.com/errata/RHSA-2019:2437	Third Party Advisory
18	https://access.redhat.com/errata/RHSA-2019:2437	Third Party Advisory
19	https://access.redhat.com/errata/RHSA-2019:2439	Third Party Advisory
20	https://access.redhat.com/errata/RHSA-2019:2439	Third Party Advisory
21	https://access.redhat.com/errata/RHSA-2019:2471	Third Party Advisory
22	https://access.redhat.com/errata/RHSA-2019:2471	Third Party Advisory
23	https://access.redhat.com/errata/RHSA-2019:3929	Third Party Advisory
24	https://access.redhat.com/errata/RHSA-2019:3929	Third Party Advisory
25	https://access.redhat.com/errata/RHSA-2019:3931	Third Party Advisory
26	https://access.redhat.com/errata/RHSA-2019:3931	Third Party Advisory
27	https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
28	https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
29	https://kc.mcafee.com/corporate/index?page=content&id=SB10282	Third Party Advisory
30	https://kc.mcafee.com/corporate/index?page=content&id=SB10282	Third Party Advisory
31	https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html	Mailing List Third Party Advisory
32	https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html	Mailing List Third Party Advisory
33	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
34	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
35	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
36	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
37	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
38	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
39	https://security.gentoo.org/glsa/201903-10	Third Party Advisory
40	https://security.gentoo.org/glsa/201903-10	Third Party Advisory
41	https://security.netapp.com/advisory/ntap-20190301-0001/	Patch Third Party Advisory
42	https://security.netapp.com/advisory/ntap-20190301-0001/	Patch Third Party Advisory
43	https://security.netapp.com/advisory/ntap-20190301-0002/	Broken Link Third Party Advisory
44	https://security.netapp.com/advisory/ntap-20190301-0002/	Broken Link Third Party Advisory
45	https://security.netapp.com/advisory/ntap-20190423-0002/	Third Party Advisory
46	https://security.netapp.com/advisory/ntap-20190423-0002/	Third Party Advisory
47	https://support.f5.com/csp/article/K18549143	Third Party Advisory
48	https://support.f5.com/csp/article/K18549143	Third Party Advisory
49	https://support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS
50	https://support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS
51	https://usn.ubuntu.com/3899-1/	Third Party Advisory
52	https://usn.ubuntu.com/3899-1/	Third Party Advisory
53	https://usn.ubuntu.com/4376-2/	Broken Link
54	https://usn.ubuntu.com/4376-2/	Broken Link
55	https://www.debian.org/security/2019/dsa-4400	Third Party Advisory
56	https://www.debian.org/security/2019/dsa-4400	Third Party Advisory
57	https://www.openssl.org/news/secadv/20190226.txt	Vendor Advisory
58	https://www.openssl.org/news/secadv/20190226.txt	Vendor Advisory
59	https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
60	https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
61	https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory
62	https://www.oracle.com/security-alerts/cpujan2021.html	Third Party Advisory
63	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
64	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
65	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory
66	https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory
67	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Third Party Advisory
68	https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Third Party Advisory
69	https://www.tenable.com/security/tns-2019-02	Patch Third Party Advisory
70	https://www.tenable.com/security/tns-2019-02	Patch Third Party Advisory
71	https://www.tenable.com/security/tns-2019-03	Third Party Advisory
72	https://www.tenable.com/security/tns-2019-03	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-203	セキュリティ関連の処理に対するレスポンスの違いに起因する情報漏えい	https://cwe.mitre.org/data/definitions/203.html

JVN Vulnerability Information

OpenSSL における情報漏えいに関する脆弱性

Title	OpenSSL における情報漏えいに関する脆弱性
Summary	OpenSSL には、情報漏えいに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 26, 2019, midnight
Registration Date	April 2, 2019, 5:10 p.m.
Last Update	July 15, 2021, 3:04 p.m.

Affected System

OpenSSL Project

OpenSSL 1.0.2 から 1.0.2q

日立

Cosminexus HTTP Server

Job Management System Partern 1/Automatic Job Management System 3 - Web Operation Assistant

JP1/Automatic Job Management System 3 - Manager

JP1/Automatic Job Management System 3 - Web Operation Assistant

JP1/Automatic Operation

JP1/Data Highway - Server

JP1/Data Highway - Server Starter Edition

JP1/IT Desktop Management 2 - Smart Device Manager

JP1/Operations Analytics

JP1/Performance Management - Manager

JP1/SNMP System Observer

uCosminexus Application Server

uCosminexus Application Server (64)

uCosminexus Application Server -R

uCosminexus Developer

uCosminexus Primary Server Base

uCosminexus Primary Server Base(64)

uCosminexus Service Architect

uCosminexus Service Platform

uCosminexus Service Platform (64)

Debian

Debian GNU/Linux

Canonical

Ubuntu

NetApp

Element Software

NetApp Hyper Converged Infrastructure

NetApp StorageGRID Webscale

OnCommand Unified Manager

OnCommand Workflow Automation

ONTAP Select Deploy

ONTAP Select Deploy administration utility

SANtricity SMI-S Provider

SnapDrive

SteelStore Cloud Integrated Storage

openSUSE project

openSUSE Leap

F5 Networks

Traffix SDC

Tenable, Inc.

Nessus

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2019-1559	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559
National Vulnerability Database (NVD)
2	CVE-2019-1559	https://nvd.nist.gov/vuln/detail/CVE-2019-1559

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Debian
1	[SECURITY] [DLA 1701-1] openssl security update	https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html
Debian Security Advisory
2	DSA-4400	https://www.debian.org/security/2019/dsa-4400
Git
3	Go into the error state if a fatal alert is sent or received	https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
Hitachi Software Vulnerability Information
4	hitachi-sec-2019-112	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-112/index.html
5	hitachi-sec-2019-132	http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2019-132/index.html
6	hitachi-sec-2021-121	https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2021-121/index.html
NetApp Advisory
7	NTAP-20190301-0001	https://security.netapp.com/advisory/ntap-20190301-0001/
OpenSSL Security Advisory
8	0-byte record padding oracle (CVE-2019-1559)	https://www.openssl.org/news/secadv/20190226.txt
opensuse-security-announce
9	openSUSE-SU-2019:1076-1	http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html
Security Advisory
10	K18549143	https://support.f5.com/csp/article/K18549143
Tenable Network Security
11	TNS-2019-02	https://www.tenable.com/security/tns-2019-02
Ubuntu Security Notice
12	USN-3899-1	https://usn.ubuntu.com/3899-1/
ソフトウェア製品セキュリティ情報
13	hitachi-sec-2019-112	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2019-112/index.html
14	hitachi-sec-2019-132	http://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2019-132/index.html
15	hitachi-sec-2021-121	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2021-121/index.html

Change Log

No	Changed Details	Date of change
3	[2019年12月26日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：Hitachi Software Vulnerability Information (hitachi-sec-2019-132) を追加ベンダ情報：ソフトウェア製品セキュリティ情報 (hitachi-sec-2019-132) を追加	Dec. 26, 2019, 3:04 p.m.
1	[2019年04月02日] 掲載	Dec. 26, 2019, 3:06 p.m.
2	[2019年06月03日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：Hitachi Software Vulnerability Information (hitachi-sec-2019-112) を追加ベンダ情報：ソフトウェア製品セキュリティ情報 (hitachi-sec-2019-112) を追加	Dec. 26, 2019, 3:06 p.m.
4	[2021年07月15日] 影響を受けるシステム：ベンダ情報 (hitachi-sec-2021-121) の更新に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2021-121) を追加	July 15, 2021, 2:23 p.m.

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:netapp:hyper_converged_infrastructure:-:::::::*
cpe:2.3:a:netapp:cloud_backup:-:::::::*
cpe:2.3:a:netapp:santricity_smi-s_provider:-:::::::*
cpe:2.3:a:netapp:element_software:-:::::::*
cpe:2.3:a:netapp:snapdrive:-:::::unix::
cpe:2.3:a:netapp:snapcenter:-:::::::*
cpe:2.3:a:netapp:storage_automation_store:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy:-:::::::*
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*
cpe:2.3:a:netapp:oncommand_unified_manager:-:::::::*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:storagegrid:-:::::::*
cpe:2.3:a:netapp:storagegrid::::::::	9.0.0	9.0.4
cpe:2.3:a:netapp:oncommand_insight:-:::::::*
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:oncommand_unified_manager:-:::::vsphere::
cpe:2.3:a:netapp:service_processor:-:::::::*
cpe:2.3:a:netapp:smi-s_provider:-:::::::*
cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:::::::*
cpe:2.3:a:netapp:snapdrive:-:::::windows::
cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*	7.3
cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*	9.5
cpe:2.3:a:netapp:solidfire:-:::::::*
cpe:2.3:a:netapp:hci_management_node:-:::::::*
cpe:2.3:a:netapp:snapprotect:-:::::::*
cpe:2.3:h:netapp:hci_compute_node:-:::::::*
cpe:2.3:a:netapp:oncommand_unified_manager_core_package:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::windows::
cpe:2.3:a:netapp:altavault:-:::::::*

Configuration19	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*

Configuration20	or higher	or less	more than	less than
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:::::::*
cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:::::::*
cpe:2.3:a:oracle:business_intelligence:11.1.1.9.0::::enterprise:::
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:::::::*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:::::::*
cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0::::enterprise:::
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*
cpe:2.3:a:oracle:mysql::::::::	5.7.0	5.7.25
cpe:2.3:a:oracle:mysql::::::::	8.0.0	8.0.15
cpe:2.3:a:oracle:secure_global_desktop:5.4:::::::*
cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0::::enterprise:::
cpe:2.3:a:oracle:communications_session_border_controller:8.0.0:::::::*
cpe:2.3:a:oracle:communications_session_border_controller:8.1.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:::::::*
cpe:2.3:a:oracle:jd_edwards_world_security:a9.3:::::::*
cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:::::::*
cpe:2.3:a:oracle:mysql::::::::	5.6.0	5.6.43
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.3:::::::*
cpe:2.3:a:oracle:communications_diameter_signaling_router:8.4:::::::*
cpe:2.3:a:oracle:communications_performance_intelligence_center:10.4.0.2:::::::*
cpe:2.3:a:oracle:communications_session_border_controller:7.4:::::::*
cpe:2.3:a:oracle:communications_session_border_controller:8.2:::::::*
cpe:2.3:a:oracle:communications_session_border_controller:8.3:::::::*
cpe:2.3:a:oracle:communications_session_router:7.4:::::::*
cpe:2.3:a:oracle:communications_session_router:8.0:::::::*
cpe:2.3:a:oracle:communications_session_router:8.1:::::::*
cpe:2.3:a:oracle:communications_session_router:8.2:::::::*
cpe:2.3:a:oracle:communications_session_router:8.3:::::::*
cpe:2.3:a:oracle:communications_unified_session_manager:7.3.5:::::::*
cpe:2.3:a:oracle:endeca_server:7.7.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0:::::::*
cpe:2.3:a:oracle:jd_edwards_world_security:a9.3.1:::::::*
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::		4.0.8
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::	8.0.0	8.0.14
cpe:2.3:a:oracle:mysql_workbench::::::::		8.0.16
cpe:2.3:a:oracle:services_tools_bundle:19.2:::::::*
cpe:2.3:a:oracle:communications_unified_session_manager:8.2.5:::::::*