CVE-2019-1551 — Integer Overflow or Wraparound in Openssl

CWE-190 — Integer Overflow or Wraparound CWE-200 — Sensitive Information Exposure15 documents11 sources

Severity

5.3MEDIUMNVD

EPSS

3.9%

top 11.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Tenable LOG Correlation Engine Oracle Mysql Enterprise Monitor +7 more

Timeline

PublishedDec 6

Latest updateMay 9

Description

There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages9 packages

▶Debianopenssl/openssl< 1.1.1e-1+3

▶NVDopenssl/openssl1.0.2 — 1.0.2t+1

▶CVEListV5openssl/opensslFixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t), Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d)+1

▶NVDtenable/log_correlation_engine< 6.0.9

▶NVDoracle/mysql_enterprise_monitor8.0.0 — 8.0.20+1

Also affects: Debian Linux 10.0, 9.0, Fedora 30, 31, 32, Ubuntu Linux 16.04, 18.04, 19.10

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-fcc6-m5v9-xcgq: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli↗2022-05-24

▶

OSV

CVE-2019-1551: There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli↗2019-12-06

▶

CVEList

rsaz_512_sqr overflow bug on x86_64↗2019-12-06

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS↗2024-02-14

▶

Ubuntu

OpenSSL vulnerabilities↗2020-09-16

▶

Oracle

Oracle Oracle Enterprise Manager Risk Matrix: Networking (OpenSSL) — CVE-2019-1551↗2020-07-15

▶

Ubuntu

OpenSSL vulnerabilities↗2020-05-28

▶

Red Hat

openssl: Integer overflow in RSAZ modular exponentiation on x86_64↗2019-12-06

▶

💬Community

HackerOne

CVE-2019-1551: rsaz_512_sqr overflow bug on x86_64↗2024-05-09

▶

Bugzilla

CVE-2019-1551 openssl: Integer overflow in RSAZ modular exponentiation on x86_64↗2019-12-09

▶

Bugzilla

CVE-2019-1551 openssl: Integer overflow in RSAZ modular exponentiation on x86_64 [fedora-all]↗2019-12-09

▶

Bugzilla

CVE-2019-1551 mingw-openssl: openssl: Integer overflow in RSAZ modular exponentiation on x86_64 [fedora-all]↗2019-12-09

▶

Bugzilla

CVE-2019-1551 mingw-openssl: openssl: Integer overflow in RSAZ modular exponentiation on x86_64 [epel-7]↗2019-12-09

▶