Openssl – Padding Oracle and PKCS7

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2019-018 CVE-2019-1563 09/20/2019 low v1

Vulnerability details

An attacker can retrieve the public RSA key used in a CMS/PKCS7 exchange after sending a very large number of message.

 

Impacted products

ProductsSeverityDetail
Stormshield Network Security low Impacted

Revisions

Version Date Description
v1  09/20/2019 Initial release

 



Stormshield Network Security

CVSS v2 Overall Score: 3      

Analysis

Impacted version

An attacker could obtain sensitive information about PKCS7 exchanges.
  • SNS 3.X

Workaround solution

Solution

There is no workaround solution.

The SNS 3.7.8 and 3.9.2 updates will fix this vulnerability.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Network High None Partial Partial None
CVSS Base score: 4 CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Exploitability Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 3 CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
None High [76-100%]
CVSS Environmental score: 3 CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND)