CVE-2019-1547 (GCVE-0-2019-1547)

Vulnerability from cvelistv5 – Published: 2019-09-10 16:58 – Updated: 2024-09-16 16:33
VLAI?
Summary
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Severity ?
No CVSS data available.
CWE
  • Timing side channel
Assigner
References
https://seclists.org/bugtraq/2019/Sep/25 mailing-list
http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
https://lists.debian.org/debian-lts-announce/2019… mailing-list
https://lists.fedoraproject.org/archives/list/pac… vendor-advisory
https://seclists.org/bugtraq/2019/Oct/1 mailing-list
https://seclists.org/bugtraq/2019/Oct/0 mailing-list
https://www.debian.org/security/2019/dsa-4539 vendor-advisory
https://www.debian.org/security/2019/dsa-4540 vendor-advisory
http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
http://lists.opensuse.org/opensuse-security-annou… vendor-advisory
https://security.gentoo.org/glsa/201911-04 vendor-advisory
https://usn.ubuntu.com/4376-1/ vendor-advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/technetwork/security-advis…
https://www.tenable.com/security/tns-2019-08
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.openssl.org/news/secadv/20190910.txt
https://git.openssl.org/gitweb/?p=openssl.git%3Ba…
https://git.openssl.org/gitweb/?p=openssl.git%3Ba…
https://git.openssl.org/gitweb/?p=openssl.git%3Ba…
https://arxiv.org/abs/1909.01785
http://packetstormsecurity.com/files/154467/Slack…
https://security.netapp.com/advisory/ntap-2019091…
https://support.f5.com/csp/article/K73422160?utm_…
https://www.tenable.com/security/tns-2019-09
https://security.netapp.com/advisory/ntap-2020012…
https://security.netapp.com/advisory/ntap-2020041…
https://usn.ubuntu.com/4376-2/ vendor-advisory
https://usn.ubuntu.com/4504-1/ vendor-advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
https://kc.mcafee.com/corporate/index?page=conten…
https://security.netapp.com/advisory/ntap-2024062…
Impacted products
Vendor Product Version
OpenSSL OpenSSL Affected: Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)
Affected: Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)
Affected: Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)
Create a notification for this product.
Credits
Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-1547",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-19T19:04:18.544630Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-19T19:04:25.516Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T18:20:28.292Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20190912 [slackware-security] openssl (SSA:2019-254-03)",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/25"
          },
          {
            "name": "openSUSE-SU-2019:2158",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"
          },
          {
            "name": "FEDORA-2019-d15aac6c4e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
          },
          {
            "name": "openSUSE-SU-2019:2189",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"
          },
          {
            "name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"
          },
          {
            "name": "FEDORA-2019-d51641f152",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
          },
          {
            "name": "20191001 [SECURITY] [DSA 4539-1] openssl security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Oct/1"
          },
          {
            "name": "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Oct/0"
          },
          {
            "name": "DSA-4539",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4539"
          },
          {
            "name": "DSA-4540",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4540"
          },
          {
            "name": "openSUSE-SU-2019:2268",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"
          },
          {
            "name": "openSUSE-SU-2019:2269",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"
          },
          {
            "name": "GLSA-201911-04",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201911-04"
          },
          {
            "name": "USN-4376-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4376-1/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2019-08"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20190910.txt"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://arxiv.org/abs/1909.01785"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2019-09"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200122-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200416-0003/"
          },
          {
            "name": "USN-4376-2",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4376-2/"
          },
          {
            "name": "USN-4504-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4504-1/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Cesar Pereida Garc\u00eda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley"
        }
      ],
      "datePublic": "2019-09-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "lang": "eng",
              "url": "https://www.openssl.org/policies/secpolicy.html#Low",
              "value": "Low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Timing side channel",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-21T19:06:30.909094",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "20190912 [slackware-security] openssl (SSA:2019-254-03)",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/25"
        },
        {
          "name": "openSUSE-SU-2019:2158",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"
        },
        {
          "name": "FEDORA-2019-d15aac6c4e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
        },
        {
          "name": "openSUSE-SU-2019:2189",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"
        },
        {
          "name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"
        },
        {
          "name": "FEDORA-2019-d51641f152",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
        },
        {
          "name": "20191001 [SECURITY] [DSA 4539-1] openssl security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Oct/1"
        },
        {
          "name": "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Oct/0"
        },
        {
          "name": "DSA-4539",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4539"
        },
        {
          "name": "DSA-4540",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4540"
        },
        {
          "name": "openSUSE-SU-2019:2268",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"
        },
        {
          "name": "openSUSE-SU-2019:2269",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"
        },
        {
          "name": "GLSA-201911-04",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/201911-04"
        },
        {
          "name": "USN-4376-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4376-1/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
        },
        {
          "url": "https://www.tenable.com/security/tns-2019-08"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "url": "https://www.openssl.org/news/secadv/20190910.txt"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
        },
        {
          "url": "https://arxiv.org/abs/1909.01785"
        },
        {
          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
        },
        {
          "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS"
        },
        {
          "url": "https://www.tenable.com/security/tns-2019-09"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20200122-0002/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20200416-0003/"
        },
        {
          "name": "USN-4376-2",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4376-2/"
        },
        {
          "name": "USN-4504-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4504-1/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
        }
      ],
      "title": "ECDSA remote timing attack"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2019-1547",
    "datePublished": "2019-09-10T16:58:35.307121Z",
    "dateReserved": "2018-11-28T00:00:00",
    "dateUpdated": "2024-09-16T16:33:05.874Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.0.2\", \"versionEndIncluding\": \"1.0.2s\", \"matchCriteriaId\": \"0DAC8B94-3674-4E4B-9BB0-A16CA0197885\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.1.0\", \"versionEndIncluding\": \"1.1.0k\", \"matchCriteriaId\": \"65728FC6-4B4F-4D43-872B-BE1133BB2281\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.1.1\", \"versionEndIncluding\": \"1.1.1c\", \"matchCriteriaId\": \"A2ACA227-3992-478E-85C3-023D8AF88A08\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\"}, {\"lang\": \"es\", \"value\": \"Normalmente en los grupos EC de OpenSSL siempre tienen un cofactor presente y este es usado en rutas de c\\u00f3digo resistentes a canales laterales. Sin embargo, en ciertos casos, es posible construir un grupo usando par\\u00e1metros expl\\u00edcitos (en lugar de usar una curva nombrada). En esos casos, es posible que dicho grupo no tenga el cofactor presente. Esto puede ocurrir incluso cuando todos los par\\u00e1metros coinciden con una curva de nombre conocido. Si es utilizada dicha curva, entonces OpenSSL recurre a rutas de c\\u00f3digo resistentes a canales no laterales lo que puede resultar en una recuperaci\\u00f3n de clave completa durante una operaci\\u00f3n de firma ECDSA. Para que sea vulnerable, un atacante tendr\\u00eda que tener la capacidad de cronometrar la creaci\\u00f3n de un gran n\\u00famero de firmas donde par\\u00e1metros expl\\u00edcitos sin cofactor presente est\\u00e1n en uso mediante una aplicaci\\u00f3n que utiliza libcrypto. Para evitar dudas, libssl no es vulnerable porque nunca se utilizan par\\u00e1metros expl\\u00edcitos. Corregido en OpenSSL versi\\u00f3n 1.1.1d (afectada la versi\\u00f3n 1.1.1-1.1.1c). Corregido en OpenSSL versi\\u00f3n 1.1.0l (afectada la versi\\u00f3n 1.1.0-1.1.0k). Corregida en OpenSSL versi\\u00f3n 1.0.2t (afectada la versi\\u00f3n 1.0.2-1.0.2s).\"}]",
      "id": "CVE-2019-1547",
      "lastModified": "2024-11-21T04:36:48.160",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 4.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:N/A:N\", \"baseScore\": 1.9, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 3.4, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2019-09-10T17:15:11.750",
      "references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://arxiv.org/abs/1909.01785\", \"source\": \"openssl-security@openssl.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Oct/0\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Oct/1\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Sep/25\", \"source\": \"openssl-security@openssl.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201911-04\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20190919-0002/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200122-0002/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200416-0003/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://usn.ubuntu.com/4376-1/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://usn.ubuntu.com/4376-2/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://usn.ubuntu.com/4504-1/\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.debian.org/security/2019/dsa-4539\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.debian.org/security/2019/dsa-4540\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.openssl.org/news/secadv/20190910.txt\", \"source\": \"openssl-security@openssl.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.tenable.com/security/tns-2019-08\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"https://www.tenable.com/security/tns-2019-09\", \"source\": \"openssl-security@openssl.org\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://arxiv.org/abs/1909.01785\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Oct/0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Oct/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://seclists.org/bugtraq/2019/Sep/25\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201911-04\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20190919-0002/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200122-0002/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200416-0003/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://usn.ubuntu.com/4376-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://usn.ubuntu.com/4376-2/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://usn.ubuntu.com/4504-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.debian.org/security/2019/dsa-4539\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.debian.org/security/2019/dsa-4540\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.openssl.org/news/secadv/20190910.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.tenable.com/security/tns-2019-08\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.tenable.com/security/tns-2019-09\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "openssl-security@openssl.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-1547\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2019-09-10T17:15:11.750\",\"lastModified\":\"2024-11-21T04:36:48.160\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\"},{\"lang\":\"es\",\"value\":\"Normalmente en los grupos EC de OpenSSL siempre tienen un cofactor presente y este es usado en rutas de c\u00f3digo resistentes a canales laterales. Sin embargo, en ciertos casos, es posible construir un grupo usando par\u00e1metros expl\u00edcitos (en lugar de usar una curva nombrada). En esos casos, es posible que dicho grupo no tenga el cofactor presente. Esto puede ocurrir incluso cuando todos los par\u00e1metros coinciden con una curva de nombre conocido. Si es utilizada dicha curva, entonces OpenSSL recurre a rutas de c\u00f3digo resistentes a canales no laterales lo que puede resultar en una recuperaci\u00f3n de clave completa durante una operaci\u00f3n de firma ECDSA. Para que sea vulnerable, un atacante tendr\u00eda que tener la capacidad de cronometrar la creaci\u00f3n de un gran n\u00famero de firmas donde par\u00e1metros expl\u00edcitos sin cofactor presente est\u00e1n en uso mediante una aplicaci\u00f3n que utiliza libcrypto. Para evitar dudas, libssl no es vulnerable porque nunca se utilizan par\u00e1metros expl\u00edcitos. Corregido en OpenSSL versi\u00f3n 1.1.1d (afectada la versi\u00f3n 1.1.1-1.1.1c). Corregido en OpenSSL versi\u00f3n 1.1.0l (afectada la versi\u00f3n 1.1.0-1.1.0k). Corregida en OpenSSL versi\u00f3n 1.0.2t (afectada la versi\u00f3n 1.0.2-1.0.2s).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":1.9,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.4,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.2\",\"versionEndIncluding\":\"1.0.2s\",\"matchCriteriaId\":\"0DAC8B94-3674-4E4B-9BB0-A16CA0197885\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.0\",\"versionEndIncluding\":\"1.1.0k\",\"matchCriteriaId\":\"65728FC6-4B4F-4D43-872B-BE1133BB2281\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.1\",\"versionEndIncluding\":\"1.1.1c\",\"matchCriteriaId\":\"A2ACA227-3992-478E-85C3-023D8AF88A08\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://arxiv.org/abs/1909.01785\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/Oct/0\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/Oct/1\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/Sep/25\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201911-04\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20190919-0002/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200122-0002/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200416-0003/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://usn.ubuntu.com/4376-1/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://usn.ubuntu.com/4376-2/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://usn.ubuntu.com/4504-1/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.debian.org/security/2019/dsa-4539\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.debian.org/security/2019/dsa-4540\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.openssl.org/news/secadv/20190910.txt\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2020.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.tenable.com/security/tns-2019-08\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.tenable.com/security/tns-2019-09\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://arxiv.org/abs/1909.01785\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/Oct/0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/Oct/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/Sep/25\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201911-04\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20190919-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200122-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200416-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4376-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4376-2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4504-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2019/dsa-4539\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2019/dsa-4540\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.openssl.org/news/secadv/20190910.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.tenable.com/security/tns-2019-08\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.tenable.com/security/tns-2019-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://seclists.org/bugtraq/2019/Sep/25\", \"name\": \"20190912 [slackware-security] openssl (SSA:2019-254-03)\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html\", \"name\": \"openSUSE-SU-2019:2158\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/\", \"name\": \"FEDORA-2019-d15aac6c4e\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html\", \"name\": \"openSUSE-SU-2019:2189\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html\", \"name\": \"[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/\", \"name\": \"FEDORA-2019-d51641f152\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Oct/1\", \"name\": \"20191001 [SECURITY] [DSA 4539-1] openssl security update\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Oct/0\", \"name\": \"20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update\", \"tags\": [\"mailing-list\", \"x_transferred\"]}, {\"url\": \"https://www.debian.org/security/2019/dsa-4539\", \"name\": \"DSA-4539\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://www.debian.org/security/2019/dsa-4540\", \"name\": \"DSA-4540\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html\", \"name\": \"openSUSE-SU-2019:2268\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html\", \"name\": \"openSUSE-SU-2019:2269\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/201911-04\", \"name\": \"GLSA-201911-04\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://usn.ubuntu.com/4376-1/\", \"name\": \"USN-4376-1\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.tenable.com/security/tns-2019-08\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.openssl.org/news/secadv/20190910.txt\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://arxiv.org/abs/1909.01785\", \"tags\": [\"x_transferred\"]}, {\"url\": \"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20190919-0002/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.tenable.com/security/tns-2019-09\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200122-0002/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200416-0003/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://usn.ubuntu.com/4376-2/\", \"name\": \"USN-4376-2\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://usn.ubuntu.com/4504-1/\", \"name\": \"USN-4504-1\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T18:20:28.292Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2019-1547\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-19T19:04:18.544630Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-19T19:04:22.599Z\"}}], \"cna\": {\"title\": \"ECDSA remote timing attack\", \"credits\": [{\"lang\": \"en\", \"value\": \"Cesar Pereida Garc\\u00eda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley\"}], \"metrics\": [{\"other\": {\"type\": \"unknown\", \"content\": {\"url\": \"https://www.openssl.org/policies/secpolicy.html#Low\", \"lang\": \"eng\", \"value\": \"Low\"}}}], \"affected\": [{\"vendor\": \"OpenSSL\", \"product\": \"OpenSSL\", \"versions\": [{\"status\": \"affected\", \"version\": \"Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)\"}, {\"status\": \"affected\", \"version\": \"Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)\"}, {\"status\": \"affected\", \"version\": \"Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)\"}]}], \"datePublic\": \"2019-09-10T00:00:00\", \"references\": [{\"url\": \"https://seclists.org/bugtraq/2019/Sep/25\", \"name\": \"20190912 [slackware-security] openssl (SSA:2019-254-03)\", \"tags\": [\"mailing-list\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html\", \"name\": \"openSUSE-SU-2019:2158\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/\", \"name\": \"FEDORA-2019-d15aac6c4e\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html\", \"name\": \"openSUSE-SU-2019:2189\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html\", \"name\": \"[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/\", \"name\": \"FEDORA-2019-d51641f152\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Oct/1\", \"name\": \"20191001 [SECURITY] [DSA 4539-1] openssl security update\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://seclists.org/bugtraq/2019/Oct/0\", \"name\": \"20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update\", \"tags\": [\"mailing-list\"]}, {\"url\": \"https://www.debian.org/security/2019/dsa-4539\", \"name\": \"DSA-4539\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.debian.org/security/2019/dsa-4540\", \"name\": \"DSA-4540\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html\", \"name\": \"openSUSE-SU-2019:2268\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html\", \"name\": \"openSUSE-SU-2019:2269\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/201911-04\", \"name\": \"GLSA-201911-04\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4376-1/\", \"name\": \"USN-4376-1\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuapr2020.html\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\"}, {\"url\": \"https://www.tenable.com/security/tns-2019-08\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\"}, {\"url\": \"https://www.openssl.org/news/secadv/20190910.txt\"}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8\"}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a\"}, {\"url\": \"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46\"}, {\"url\": \"https://arxiv.org/abs/1909.01785\"}, {\"url\": \"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20190919-0002/\"}, {\"url\": \"https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS\"}, {\"url\": \"https://www.tenable.com/security/tns-2019-09\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200122-0002/\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200416-0003/\"}, {\"url\": \"https://usn.ubuntu.com/4376-2/\", \"name\": \"USN-4376-2\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4504-1/\", \"name\": \"USN-4504-1\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\"}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240621-0006/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"text\", \"description\": \"Timing side channel\"}]}], \"providerMetadata\": {\"orgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"shortName\": \"openssl\", \"dateUpdated\": \"2024-06-21T19:06:30.909094\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2019-1547\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-16T16:33:05.874Z\", \"dateReserved\": \"2018-11-28T00:00:00\", \"assignerOrgId\": \"3a12439a-ef3a-4c79-92e6-6081a721f1e5\", \"datePublished\": \"2019-09-10T16:58:35.307121Z\", \"assignerShortName\": \"openssl\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.