{"id":"CVE-2019-1559","details":"If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).","modified":"2026-04-16T01:40:32.163720708Z","published":"2019-02-27T23:29:00.277Z","related":["CGA-gh94-xch9-qggh","SUSE-FU-2022:0445-1","SUSE-SU-2019:0572-1","SUSE-SU-2019:0600-1","SUSE-SU-2019:0658-1","SUSE-SU-2019:0803-1","SUSE-SU-2019:0818-1","SUSE-SU-2019:1362-1","SUSE-SU-2019:14091-1","SUSE-SU-2019:14092-1","SUSE-SU-2019:1553-1","SUSE-SU-2019:1608-1","openSUSE-SU-2019:1105-1","openSUSE-SU-2019:1432-1","openSUSE-SU-2024:11126-1"],"references":[{"type":"WEB","url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/"},{"type":"WEB","url":"https://support.f5.com/csp/article/K18549143?utm_source=f5support&amp%3Butm_medium=RSS"},{"type":"WEB","url":"https://usn.ubuntu.com/4376-2/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/107174"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2304"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2437"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2439"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:2471"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3929"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3931"},{"type":"ADVISORY","url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10282"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201903-10"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190301-0001/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190301-0002/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190423-0002/"},{"type":"ADVISORY","url":"https://support.f5.com/csp/article/K18549143"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3899-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4400"},{"type":"ADVISORY","url":"https://www.openssl.org/news/secadv/20190226.txt"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"type":"ADVISORY","url":"https://www.tenable.com/security/tns-2019-02"},{"type":"ADVISORY","url":"https://www.tenable.com/security/tns-2019-03"},{"type":"FIX","url":"https://security.netapp.com/advisory/ntap-20190301-0001/"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"type":"FIX","url":"https://www.tenable.com/security/tns-2019-02"},{"type":"ARTICLE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"},{"type":"ARTICLE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00019.html"},{"type":"ARTICLE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"},{"type":"ARTICLE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00047.html"},{"type":"ARTICLE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00049.html"},{"type":"ARTICLE","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00080.html"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2019/03/msg00003.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"362fe010fe8f6feb0030e1e02c689b501e11ddb7"},{"fixed":"fa9990f3fb5b06fe94e294925246d2c136deb2c2"},{"introduced":"6b1c40be84fbe5ea404f25e4e340a0c1fe67a60a"},{"fixed":"e6a25300148c32872d6701dfa25c1210797beb4b"},{"introduced":"7c89c4c7acdaa2035ec42195ade689419209c2fd"},{"fixed":"6faf17cb45e27cb6feeff4a0da1513ea99a68b58"},{"introduced":"f76ce0a75641991bfc235775a4747c978e0e281b"},{"fixed":"783e1e2065f96c74fd8ab8503c14f28f628c4ec0"},{"introduced":"f9f837885343a2a3f5ba2b8c510eaac395c8c865"},{"fixed":"ce3e3c5fe15479475c068482c48eb9cbf1ac9df5"}]}],"versions":["v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.2.0","v2.2.1","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.4.0","v2.5.0","v3.0.0","v6.10.0","v6.10.1","v6.10.2","v6.10.3","v6.11.0","v6.11.1","v6.11.2","v6.11.3","v6.11.4","v6.11.5","v6.12.0","v6.12.1","v6.12.2","v6.12.3","v6.13.0","v6.13.1","v6.14.0","v6.14.1","v6.14.2","v6.14.3","v6.14.4","v6.15.0","v6.15.1","v6.16.0","v6.9.0","v6.9.1","v6.9.2","v6.9.3","v6.9.4","v6.9.5","v7.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-1559.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}