is there any explanation how excatly ssllabs check CVE-2019-1559? Can I perform this check manually? Oracle (as a vendor of an HTTP Server) is asking for this in order to verify, if this is actually a thread. (0-Lenght OpenSSL vuln).
Manual verification can be done by running `openssl version`. Versions greater than or equal to 1.0.2 and less than 1.0.2r are vulnerable according to the OpenSSL security advisory.
Oracle http server does not use openssl. So that's why I wonder how this test is technically done (remotely).
I don't use Oracle HTTP Server, so I could be wrong, but are you sure they don't use OpenSSL? As far as I can tell, from searching the internet, OHS is based on Apache HTTP Server.
ORACLE-BASE - Oracle HTTP Server (OHS) 11g and 12c : Configure SSL
ORACLE-BASE - Linux HTTP Server Configuration
And, the first instruction on that page is to install mod_ssl and its dependency OpenSSL.
Unfortunately, I personally, do not know how the remote check is implemented.
Thanks for the reply. Basically you're absolutely right and oracle http server is an Apache "fork". Regarding SSL however this is not true, they use their own ssl module mod_ossl (oracle ssl) over the usual openssl module from Apache. Of course eventually this is simply another fork, but nevertheless it then has different version numbers. So checking just the version does not work.
So it would really be helpful to find out how that is determined. Especially since e.g. Support.oracle.com is also Oracle HTTP Server and does not show this error.
Cross-linking potentially related discussions.
CVE-2019-1559: ssllabs scan returns different results scanning the same server
nshah, can you share how to manually test/verify CVE-2019-1559? From reading the CVE, it reads like the test would involve a custom SSL client that can send zero byte records and may not be easily replicated with standard tools like cURL.
Hi nshah, it would be highly appreciated to get some more details here.
Yes it would be greatly helpful if we are able to test manually. I am also using OHS 12c which is not meant to be using openSSL and need to confirm if it's vulnerable or not.
It seems technically they're using GitHub - Tripwire/padcheck: TLS CBC Padding Oracle Checker
At least for me that gives the same check result as ssllabs.com
Is there any idea how to remediate this? Oracle has been dismissive of the issue so far
After providing the tripwire/padcheck they gave it to development in my SR. They're still working on it
cool. I will update the SR with the same details link then.
Thanks again for your help.
Retrieving data ...