{"api_version":"1","generated_at":"2026-04-22T23:08:51+00:00","cve":"CVE-2019-1547","urls":{"html":"https://cve.report/CVE-2019-1547","api":"https://cve.report/api/cve/CVE-2019-1547.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-1547","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-1547"},"summary":{"title":"CVE-2019-1547","description":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","state":"PUBLIC","assigner":"openssl-security@openssl.org","published_at":"2019-09-10 17:15:00","updated_at":"2023-11-07 03:08:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8","name":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8","refsource":"","tags":[],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"404","archivestatus":"200"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","refsource":"CONFIRM","tags":["Mailing List","Patch","Vendor Advisory"],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2019/dsa-4539","name":"DSA-4539","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4539-1 openssl","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","name":"FEDORA-2019-d15aac6c4e","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 30 Update: openssl-1.1.1d-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS","name":"https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS","refsource":"","tags":[],"title":"myF5","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46","name":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46","refsource":"","tags":[],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"404","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2020.html","name":"https://www.oracle.com/security-alerts/cpujul2020.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2020","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html","name":"openSUSE-SU-2019:2268","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:2268-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.tenable.com/security/tns-2019-09","name":"https://www.tenable.com/security/tns-2019-09","refsource":"CONFIRM","tags":[],"title":"[R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable®","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/4376-2/","name":"USN-4376-2","refsource":"UBUNTU","tags":[],"title":"USN-4376-2: OpenSSL vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpuoct2020.html","name":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - October 2020","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/201911-04","name":"GLSA-201911-04","refsource":"GENTOO","tags":[],"title":"OpenSSL: Multiple vulnerabilities (GLSA 201911-04) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html","name":"[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 1932-1] openssl security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/4376-1/","name":"USN-4376-1","refsource":"UBUNTU","tags":[],"title":"USN-4376-1: OpenSSL vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10365","name":"https://kc.mcafee.com/corporate/index?page=content&id=SB10365","refsource":"CONFIRM","tags":[],"title":"Security Bulletin - Policy Auditor update fixes multiple vulnerabilities in third-party libraries (CVE-2016-0718, CVE-2016-4472, CVE-2016-5300, CVE-2017-17740, CVE-2017-9287, CVE-2019-13057, CVE-2020-15719, CVE-2019-1543, CVE-2019-1547, CVE-2019-1552, CVE-2019-1563, CVE-2019-8457, CVE-2018-20506, CVE-2018-20346, CVE-2019-16168, CVE-2017-12627)","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html","name":"openSUSE-SU-2019:2158","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:2158-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.openssl.org/news/secadv/20190910.txt","name":"https://www.openssl.org/news/secadv/20190910.txt","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"200"},{"url":"https://www.tenable.com/security/tns-2019-08","name":"https://www.tenable.com/security/tns-2019-08","refsource":"CONFIRM","tags":[],"title":"[R1] Nessus Network Monitor 5.11.0 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://arxiv.org/abs/1909.01785","name":"https://arxiv.org/abs/1909.01785","refsource":"MISC","tags":["Third Party Advisory"],"title":"[1909.01785] Certified Side Channels","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20200416-0003/","name":"https://security.netapp.com/advisory/ntap-20200416-0003/","refsource":"CONFIRM","tags":[],"title":"April 2020 MySQL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","name":"FEDORA-2019-d51641f152","refsource":"","tags":[],"title":"[SECURITY] Fedora 29 Update: openssl-1.1.1d-1.fc29 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20190919-0002/","name":"https://security.netapp.com/advisory/ntap-20190919-0002/","refsource":"CONFIRM","tags":[],"title":"September 2019 OpenSSL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20200122-0002/","name":"https://security.netapp.com/advisory/ntap-20200122-0002/","refsource":"CONFIRM","tags":[],"title":"January 2020 MySQL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html","name":"openSUSE-SU-2019:2189","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:2189-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","name":"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","refsource":"","tags":[],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"404","archivestatus":"200"},{"url":"https://seclists.org/bugtraq/2019/Oct/1","name":"20191001 [SECURITY] [DSA 4539-1] openssl security update","refsource":"BUGTRAQ","tags":[],"title":"Bugtraq: [SECURITY] [DSA 4539-1] openssl security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2019/dsa-4540","name":"DSA-4540","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4540-1 openssl1.0","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","name":"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","refsource":"MISC","tags":[],"title":"Slackware Security Advisory - openssl Updates ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","name":"https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","refsource":"CONFIRM","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html","name":"openSUSE-SU-2019:2269","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2019:2269-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://seclists.org/bugtraq/2019/Sep/25","name":"20190912 [slackware-security] openssl (SSA:2019-254-03)","refsource":"BUGTRAQ","tags":["Third Party Advisory"],"title":"Bugtraq: [slackware-security]  openssl (SSA:2019-254-03)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://seclists.org/bugtraq/2019/Oct/0","name":"20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update","refsource":"BUGTRAQ","tags":[],"title":"Bugtraq: [SECURITY] [DSA 4540-1] openssl1.0 security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","refsource":"CONFIRM","tags":["Mailing List","Patch","Vendor Advisory"],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/","name":"FEDORA-2019-d15aac6c4e","refsource":"","tags":[],"title":"[SECURITY] Fedora 30 Update: openssl-1.1.1d-1.fc30 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","name":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update - October 2019","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujan2020.html","name":"https://www.oracle.com/security-alerts/cpujan2020.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - January 2020","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","refsource":"CONFIRM","tags":["Mailing List","Patch","Vendor Advisory"],"title":"git.openssl.org Git - openssl.git/commitdiff","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpuapr2020.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - April 2020","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://usn.ubuntu.com/4504-1/","name":"USN-4504-1","refsource":"UBUNTU","tags":[],"title":"USN-4504-1: OpenSSL vulnerabilities | Ubuntu security notices | Ubuntu","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/","name":"FEDORA-2019-d51641f152","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 29 Update: openssl-1.1.1d-1.fc29 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-1547","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-1547","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley","lang":""}],"nvd_cpes":[{"cve_year":"2019","cve_id":"1547","vulnerable":"1","versionEndIncluding":"1.0.2s","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openssl","cpe5":"openssl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"1547","vulnerable":"1","versionEndIncluding":"1.1.0k","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openssl","cpe5":"openssl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"1547","vulnerable":"1","versionEndIncluding":"1.1.1c","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"openssl","cpe5":"openssl","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-1547","qid":"296078","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 16.4.0 Missing (CPUOCT2019)"},{"cve":"CVE-2019-1547","qid":"375626","title":"IBM Cognos Analytics Multiple Vulnerabilities (6451705)"},{"cve":"CVE-2019-1547","qid":"377105","title":"Alibaba Cloud Linux Security Update for Open Secure Sockets Layer (OpenSSL) (ALINUX3-SA-2022:0025)"},{"cve":"CVE-2019-1547","qid":"379452","title":"IBM Cognos Analytics Multiple Vulnerabilities (7123154)"},{"cve":"CVE-2019-1547","qid":"38842","title":"Open Secure Sockets Layer (OpenSSL) Security Update (OpenSSL Security Advisory 20190910)"},{"cve":"CVE-2019-1547","qid":"500493","title":"Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)"},{"cve":"CVE-2019-1547","qid":"500561","title":"Alpine Linux Security Update for Open Secure Sockets Layer (OpenSSL)"},{"cve":"CVE-2019-1547","qid":"500760","title":"Alpine Linux Security Update for openssl"},{"cve":"CVE-2019-1547","qid":"501160","title":"Alpine Linux Security Update for openssl"},{"cve":"CVE-2019-1547","qid":"501979","title":"Alpine Linux Security Update for Open Secure Sockets Layer3 (OpenSSL3)"},{"cve":"CVE-2019-1547","qid":"502898","title":"Alpine Linux Security Update for openssl1.1-compat"},{"cve":"CVE-2019-1547","qid":"504252","title":"Alpine Linux Security Update for openssl"},{"cve":"CVE-2019-1547","qid":"710119","title":"Gentoo Linux Open Secure Sockets Layer Multiple Vulnerabilities (GLSA 201911-04)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"openssl-security@openssl.org","DATE_PUBLIC":"2019-09-10","ID":"CVE-2019-1547","STATE":"PUBLIC","TITLE":"ECDSA remote timing attack"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"OpenSSL","version":{"version_data":[{"version_value":"Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)"},{"version_value":"Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)"},{"version_value":"Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)"}]}}]},"vendor_name":"OpenSSL"}]}},"credit":[{"lang":"eng","value":"Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."}]},"impact":[{"lang":"eng","url":"https://www.openssl.org/policies/secpolicy.html#Low","value":"Low"}],"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Timing side channel"}]}]},"references":{"reference_data":[{"refsource":"BUGTRAQ","name":"20190912 [slackware-security] openssl (SSA:2019-254-03)","url":"https://seclists.org/bugtraq/2019/Sep/25"},{"refsource":"SUSE","name":"openSUSE-SU-2019:2158","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"},{"refsource":"FEDORA","name":"FEDORA-2019-d15aac6c4e","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"},{"refsource":"SUSE","name":"openSUSE-SU-2019:2189","url":"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"},{"refsource":"MLIST","name":"[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"},{"refsource":"FEDORA","name":"FEDORA-2019-d51641f152","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"},{"refsource":"BUGTRAQ","name":"20191001 [SECURITY] [DSA 4539-1] openssl security update","url":"https://seclists.org/bugtraq/2019/Oct/1"},{"refsource":"BUGTRAQ","name":"20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update","url":"https://seclists.org/bugtraq/2019/Oct/0"},{"refsource":"DEBIAN","name":"DSA-4539","url":"https://www.debian.org/security/2019/dsa-4539"},{"refsource":"DEBIAN","name":"DSA-4540","url":"https://www.debian.org/security/2019/dsa-4540"},{"refsource":"SUSE","name":"openSUSE-SU-2019:2268","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"},{"refsource":"SUSE","name":"openSUSE-SU-2019:2269","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"},{"refsource":"GENTOO","name":"GLSA-201911-04","url":"https://security.gentoo.org/glsa/201911-04"},{"refsource":"UBUNTU","name":"USN-4376-1","url":"https://usn.ubuntu.com/4376-1/"},{"url":"https://www.oracle.com/security-alerts/cpuapr2020.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"url":"https://www.oracle.com/security-alerts/cpujul2020.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html","refsource":"MISC","name":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"refsource":"CONFIRM","name":"https://www.tenable.com/security/tns-2019-08","url":"https://www.tenable.com/security/tns-2019-08"},{"url":"https://www.oracle.com/security-alerts/cpujan2020.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"name":"https://www.openssl.org/news/secadv/20190910.txt","refsource":"CONFIRM","url":"https://www.openssl.org/news/secadv/20190910.txt"},{"name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8","refsource":"CONFIRM","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8"},{"name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a","refsource":"CONFIRM","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"},{"name":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46","refsource":"CONFIRM","url":"https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46"},{"refsource":"MISC","name":"https://arxiv.org/abs/1909.01785","url":"https://arxiv.org/abs/1909.01785"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html","url":"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20190919-0002/","url":"https://security.netapp.com/advisory/ntap-20190919-0002/"},{"refsource":"CONFIRM","name":"https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS","url":"https://support.f5.com/csp/article/K73422160?utm_source=f5support&utm_medium=RSS"},{"refsource":"CONFIRM","name":"https://www.tenable.com/security/tns-2019-09","url":"https://www.tenable.com/security/tns-2019-09"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20200122-0002/","url":"https://security.netapp.com/advisory/ntap-20200122-0002/"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20200416-0003/","url":"https://security.netapp.com/advisory/ntap-20200416-0003/"},{"refsource":"UBUNTU","name":"USN-4376-2","url":"https://usn.ubuntu.com/4376-2/"},{"refsource":"UBUNTU","name":"USN-4504-1","url":"https://usn.ubuntu.com/4504-1/"},{"url":"https://www.oracle.com/security-alerts/cpuoct2020.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"refsource":"CONFIRM","name":"https://kc.mcafee.com/corporate/index?page=content&id=SB10365","url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}]}},"nvd":{"publishedDate":"2019-09-10 17:15:00","lastModifiedDate":"2023-11-07 03:08:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM"},"exploitabilityScore":1,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:M/Au:N/C:P/I:N/A:N","accessVector":"LOCAL","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":1.9},"severity":"LOW","exploitabilityScore":3.4,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.1","versionEndIncluding":"1.1.1c","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","versionStartIncluding":"1.0.2","versionEndIncluding":"1.0.2s","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*","versionStartIncluding":"1.1.0","versionEndIncluding":"1.1.0k","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"1547","Ordinal":"138039","Title":"CVE-2019-1547","CVE":"CVE-2019-1547","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"1547","Ordinal":"1","NoteData":"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).","Type":"Description","Title":null},{"CveYear":"2019","CveId":"1547","Ordinal":"2","NoteData":"2019-09-10","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"1547","Ordinal":"3","NoteData":"2021-07-31","Type":"Other","Title":"Modified"}]}}}