QID 38842
Date Published: 2021-06-10
QID 38842: Open Secure Sockets Layer (OpenSSL) Security Update (OpenSSL Security Advisory 20190910)
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end.
CVE-2019-1547: On using a particular curve OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation.
CVE-2019-1549: OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case.
CVE-2019-1563: On sending a very large number of messages to be decrypted, can recover a CMS/PKCS7 transported encryption key or decrypt any RSA encrypted message that was encrypted with the public RSA key, using a Bleichenbacher padding oracle attack.
Affected Versions:
OpenSSL versions from 1.0.2 to 1.0.2s
OpenSSL versions from 1.1.0 to 1.1.0k
OpenSSL versions from 1.1.1 to 1.1.1c
NOTE:
CVE-2019-1549 is only affected to OpenSSL version from 1.1.1 to 1.1.1c
QID Detection Logic:(Unauthenticated)
This QID matches vulnerable versions based on the exposed banner information.
Successful exploitation of these vulnerabilities may allow an attacker to steal sensitive information.
OpenSSL 1.1.0 users should upgrade to 1.1.0l
OpenSSL 1.0.2 users should upgrade to 1.0.2t
For more information please visit advisory.
- OpenSSL Security Advisory 20190910 -
www.openssl.org/news/secadv/20190910.txt
CVEs related to QID 38842
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| 20190910 |
www.openssl.org/news/secadv/20190910.txt |