CVE-2019-1547 — Client-Side Enforcement of Server-Side Security in Openssl

CWE-602 — Client-Side Enforcement of Server-Side Security CWE-311 — Missing Encryption of Sensitive Data25 documents11 sources

Severity

4.7MEDIUMNVD

EPSS

0.3%

top 50.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Msrc Azl3 Shim-unsigned-aarch64 15.8-5 ON Azure Linux 3.0 +1 more

Timeline

PublishedSep 10

Latest updateDec 29

Description

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result i…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/openssl< openssl 1.1.1d-1 (bookworm)

▶Debianopenssl/openssl< 1.1.1d-1+3

▶Ubuntuopenssl/openssl< 1.0.2g-1ubuntu4.16+3

▶NVDopenssl/openssl1.0.2 — 1.0.2s+2

▶CVEListV5openssl/opensslFixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s), Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k), Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)+2

🔴Vulnerability Details

GHSA

GHSA-q2qv-648h-wcqp: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths↗2022-05-24

▶

OSV

openssl, openssl1.0 vulnerabilities↗2020-09-16

▶

OSV

openssl vulnerabilities↗2020-07-09

▶

OSV

openssl vulnerabilities↗2020-05-28

▶

OSV

CVE-2019-1547: Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths↗2019-09-10

▶

📋Vendor Advisories

CISA ICS

Hitachi Energy APM Edge (Update A)↗2021-12-02

▶

Oracle

Oracle Oracle Hyperion Risk Matrix: Security and Provisioning (OpenSSL) — CVE-2019-1547↗2020-10-15

▶

Ubuntu

OpenSSL vulnerabilities↗2020-09-16

▶

Oracle

Oracle Oracle Supply Chain Risk Matrix: Install (OpenSSL) — CVE-2019-1547↗2020-07-15

▶

Ubuntu

OpenSSL vulnerabilities↗2020-07-09

▶

📄Research Papers

arXiv

One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29

▶

💬Community

Bugzilla

CVE-2019-1551 openssl: Integer overflow in RSAZ modular exponentiation on x86_64↗2019-12-09

▶

Bugzilla

CVE-2019-1549 openssl: information disclosure in fork()↗2019-09-13

▶

Bugzilla

CVE-2019-1547 mingw-openssl: openssl: side-channel weak encryption vulnerability [epel-7]↗2019-09-13

▶

Bugzilla

CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey↗2019-09-13

▶

Bugzilla

CVE-2019-1547 mingw-openssl: openssl: side-channel weak encryption vulnerability [fedora-all]↗2019-09-13

▶