CVE-2019-1549 — Use of Insufficiently Random Values in Openssl

CWE-330 — Use of Insufficiently Random Values CWE-200 — Sensitive Information Exposure15 documents8 sources

Severity

5.3MEDIUMNVD

OSV4.7

EPSS

5.2%

top 10.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedSep 10

Latest updateMay 24

Description

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶debiandebian/openssl< openssl 1.1.1d-1 (bookworm)

▶Debianopenssl/openssl< 1.1.1d-1+3

▶Ubuntuopenssl/openssl< 1.0.2g-1ubuntu4.16+1

▶NVDopenssl/openssl1.1.1 — 1.1.1c

▶CVEListV5openssl/opensslFixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)

🔴Vulnerability Details

GHSA

GHSA-xmjp-8ccm-cf6h: OpenSSL 1↗2022-05-24

▶

OSV

openssl vulnerabilities↗2020-05-28

▶

OSV

CVE-2019-1549: OpenSSL 1↗2019-09-10

▶

📋Vendor Advisories

CISA ICS

Hitachi Energy APM Edge (Update A)↗2021-12-02

▶

Ubuntu

OpenSSL vulnerabilities↗2020-05-28

▶

Red Hat

openssl: information disclosure in fork()↗2019-09-10

▶

Debian

CVE-2019-1549: openssl - OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was int...↗2019

▶

💬Community

Bugzilla

CVE-2019-1551 openssl: Integer overflow in RSAZ modular exponentiation on x86_64↗2019-12-09

▶

Bugzilla

CVE-2019-1549 openssl: information disclosure in fork()↗2019-09-13

▶

Bugzilla

CVE-2019-1563 openssl: information disclosure in PKCS7_dataDecode and CMS_decrypt_set1_pkey↗2019-09-13

▶

Bugzilla

CVE-2019-1547 openssl: side-channel weak encryption vulnerability↗2019-09-13

▶

Bugzilla

CVE-2019-1549 mingw-openssl: openssl: information disclosure in fork() [fedora-all]↗2019-09-13

▶