Vigil@nce - OpenSSL 1.0.2: information disclosure via 0-byte Record Padding Oracle
April 2019 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer/Computer-vulnerability-database-and-alert
SYNTHESIS OF THE VULNERABILITY
– Impacted products: SDS, SES, SNS, Debian, AIX, IBM i, MariaDB
precise, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL,
openSUSE Leap, Solaris, Percona Server, SIMATIC, Slackware, SUSE
Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***,
Nessus, Ubuntu, WinSCP.
– Severity: 2/4.
– Consequences: data reading.
– Provenance: internet client.
– Confidence: confirmed by the editor (5/5).
– Creation date: 26/02/2019.
DESCRIPTION OF THE VULNERABILITY
An attacker can bypass access restrictions to data via 0-byte
Record Padding Oracle of OpenSSL 1.0.2, in order to obtain
sensitive information.
ACCESS TO THE FULL VIGIL@NCE BULLETIN