Home > Vulnerability Database > CVE-2019-1547

Mend.io Vulnerability Database

CVE-2019-1547

Good to know:

Date: September 10, 2019

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Language: C

Severity Score

7.5

Related Resources (40)

Url: https://www.oracle.com/security-alerts/cpuapr2020.html

Url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Url: https://seclists.org/bugtraq/2019/Sep/25

Url: https://www.oracle.com/security-alerts/cpuoct2020.html

Url: https://seclists.org/bugtraq/2019/Oct/0

Url: http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html

Url: http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html

Url: https://seclists.org/bugtraq/2019/Oct/1

Url: https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS

Url: https://www.tenable.com/security/tns-2019-09

Url: https://access.redhat.com/security/cve/CVE-2019-1547

Url: https://www.debian.org/security/2019/dsa-4540

Url: http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html

Url: https://security.alpinelinux.org/vuln/CVE-2019-1547

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/

Url: https://security.gentoo.org/glsa/201911-04

Url: https://www.openssl.org/news/secadv/20190910.txt

Url: https://www.oracle.com/security-alerts/cpujul2020.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-1547

Url: https://usn.ubuntu.com/4504-1/

Url: https://usn.ubuntu.com/4376-1/

Url: https://www.tenable.com/security/tns-2019-08

Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/

Url: https://kc.mcafee.com/corporate/index?page=content&id=SB10365

Url: https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html

Url: https://security-tracker.debian.org/tracker/CVE-2019-1547

Url: http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html

Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46

Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8

Url: https://security.netapp.com/advisory/ntap-20200416-0003/

Url: https://security.netapp.com/advisory/ntap-20190919-0002/

Url: https://security.netapp.com/advisory/ntap-20200122-0002/

Url: https://www.oracle.com/security-alerts/cpujan2020.html

Url: https://www.debian.org/security/2019/dsa-4539

Url: http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html

Url: https://arxiv.org/abs/1909.01785

Url: https://usn.ubuntu.com/4376-2/

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-1547

Url: https://www.mend.io/vulnerability-database/CVE-2019-1547

Severity Score

7.5

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Missing Encryption of Sensitive Data

CWE-311

Top Fix

Upgrade Version

Upgrade to version 1.0.2t,1.1.0l,1.1.1d

Learn More

CVSS v3

Base Score:	7.5
Attack Vector (AV):
Attack Complexity (AC):
Privileges Required (PR):
User Interaction (UI):
Scope (S):
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL

CVSS v2

Base Score:	9.8
Access Vector (AV):
Access Complexity (AC):
Authentication (AU):
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-1547

Good to know:

Date: September 10, 2019

Language: C

Severity Score

Related Resources (40)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3

CVSS v2

Do you need more information?