You are here

OpenSSL Vulnerabilities Fixed in Version 1.1.1d and 1.0.2t

IDs: 
CVE-2019-1547, CVE-2019-1549, CVE-2019-1563
Keywords: 
padding oracle
Description: 

OpenSSL released version 1.0.2t and 1.1.1d fixing three vulnerabilities [1].

Supported Airlock WAF versions use OpenSSL 1.0.2 and 1.1.1 to handle SSL/TLS connections.

No action required for Airlock WAF

Details:

CVE-2019-1547 ECDSA remote timing attack - Airlock WAF is not affected since attackers have no access to a reliable timing side channel.
CVE-2019-1549 Fork Protection - The fix prevents sharing the same random number generator (RNG) state between parent and child processes. According to our analyses the OpenSSL RNG states in Airlock WAF are not affected.
CVE-2019-1563 Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey - Airlock WAF does not provide a corresponding padding oracle in the way OpenSSL is used.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock