cve-2019-1547
Vulnerability from cvelistv5
Published
2019-09-10 16:58
Modified
2024-09-16 16:33
Severity ?
Summary
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
References
openssl-security@openssl.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
openssl-security@openssl.orghttp://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
openssl-security@openssl.orghttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
openssl-security@openssl.orghttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
openssl-security@openssl.orghttp://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
openssl-security@openssl.orghttps://arxiv.org/abs/1909.01785Third Party Advisory
openssl-security@openssl.orghttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46
openssl-security@openssl.orghttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8
openssl-security@openssl.orghttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
openssl-security@openssl.orghttps://kc.mcafee.com/corporate/index?page=content&id=SB10365
openssl-security@openssl.orghttps://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
openssl-security@openssl.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
openssl-security@openssl.orghttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
openssl-security@openssl.orghttps://seclists.org/bugtraq/2019/Oct/0
openssl-security@openssl.orghttps://seclists.org/bugtraq/2019/Oct/1
openssl-security@openssl.orghttps://seclists.org/bugtraq/2019/Sep/25Third Party Advisory
openssl-security@openssl.orghttps://security.gentoo.org/glsa/201911-04
openssl-security@openssl.orghttps://security.netapp.com/advisory/ntap-20190919-0002/
openssl-security@openssl.orghttps://security.netapp.com/advisory/ntap-20200122-0002/
openssl-security@openssl.orghttps://security.netapp.com/advisory/ntap-20200416-0003/
openssl-security@openssl.orghttps://security.netapp.com/advisory/ntap-20240621-0006/
openssl-security@openssl.orghttps://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS
openssl-security@openssl.orghttps://usn.ubuntu.com/4376-1/
openssl-security@openssl.orghttps://usn.ubuntu.com/4376-2/
openssl-security@openssl.orghttps://usn.ubuntu.com/4504-1/
openssl-security@openssl.orghttps://www.debian.org/security/2019/dsa-4539
openssl-security@openssl.orghttps://www.debian.org/security/2019/dsa-4540
openssl-security@openssl.orghttps://www.openssl.org/news/secadv/20190910.txtVendor Advisory
openssl-security@openssl.orghttps://www.oracle.com/security-alerts/cpuapr2020.html
openssl-security@openssl.orghttps://www.oracle.com/security-alerts/cpujan2020.html
openssl-security@openssl.orghttps://www.oracle.com/security-alerts/cpujul2020.html
openssl-security@openssl.orghttps://www.oracle.com/security-alerts/cpuoct2020.html
openssl-security@openssl.orghttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
openssl-security@openssl.orghttps://www.tenable.com/security/tns-2019-08
openssl-security@openssl.orghttps://www.tenable.com/security/tns-2019-09
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html
af854a3a-2127-422b-91ae-364da2661108http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html
af854a3a-2127-422b-91ae-364da2661108http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
af854a3a-2127-422b-91ae-364da2661108https://arxiv.org/abs/1909.01785Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46
af854a3a-2127-422b-91ae-364da2661108https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8
af854a3a-2127-422b-91ae-364da2661108https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
af854a3a-2127-422b-91ae-364da2661108https://kc.mcafee.com/corporate/index?page=content&id=SB10365
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Oct/0
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Oct/1
af854a3a-2127-422b-91ae-364da2661108https://seclists.org/bugtraq/2019/Sep/25Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/201911-04
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20190919-0002/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20200122-0002/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20200416-0003/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240621-0006/
af854a3a-2127-422b-91ae-364da2661108https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4376-1/
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4376-2/
af854a3a-2127-422b-91ae-364da2661108https://usn.ubuntu.com/4504-1/
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2019/dsa-4539
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2019/dsa-4540
af854a3a-2127-422b-91ae-364da2661108https://www.openssl.org/news/secadv/20190910.txtVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuapr2020.html
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujan2020.html
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpujul2020.html
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/security-alerts/cpuoct2020.html
af854a3a-2127-422b-91ae-364da2661108https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
af854a3a-2127-422b-91ae-364da2661108https://www.tenable.com/security/tns-2019-08
af854a3a-2127-422b-91ae-364da2661108https://www.tenable.com/security/tns-2019-09
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2019-1547",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-19T19:04:18.544630Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-19T19:04:25.516Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T18:20:28.292Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "20190912 [slackware-security] openssl (SSA:2019-254-03)",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Sep/25"
          },
          {
            "name": "openSUSE-SU-2019:2158",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"
          },
          {
            "name": "FEDORA-2019-d15aac6c4e",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
          },
          {
            "name": "openSUSE-SU-2019:2189",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"
          },
          {
            "name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"
          },
          {
            "name": "FEDORA-2019-d51641f152",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
          },
          {
            "name": "20191001 [SECURITY] [DSA 4539-1] openssl security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Oct/1"
          },
          {
            "name": "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/Oct/0"
          },
          {
            "name": "DSA-4539",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4539"
          },
          {
            "name": "DSA-4540",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4540"
          },
          {
            "name": "openSUSE-SU-2019:2268",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"
          },
          {
            "name": "openSUSE-SU-2019:2269",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"
          },
          {
            "name": "GLSA-201911-04",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/201911-04"
          },
          {
            "name": "USN-4376-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4376-1/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2019-08"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20190910.txt"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://arxiv.org/abs/1909.01785"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.tenable.com/security/tns-2019-09"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200122-0002/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200416-0003/"
          },
          {
            "name": "USN-4376-2",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4376-2/"
          },
          {
            "name": "USN-4504-1",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4504-1/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Cesar Pereida Garc\u00eda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley"
        }
      ],
      "datePublic": "2019-09-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "lang": "eng",
              "url": "https://www.openssl.org/policies/secpolicy.html#Low",
              "value": "Low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Timing side channel",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-06-21T19:06:30.909094",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "name": "20190912 [slackware-security] openssl (SSA:2019-254-03)",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Sep/25"
        },
        {
          "name": "openSUSE-SU-2019:2158",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"
        },
        {
          "name": "FEDORA-2019-d15aac6c4e",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"
        },
        {
          "name": "openSUSE-SU-2019:2189",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"
        },
        {
          "name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"
        },
        {
          "name": "FEDORA-2019-d51641f152",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"
        },
        {
          "name": "20191001 [SECURITY] [DSA 4539-1] openssl security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Oct/1"
        },
        {
          "name": "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://seclists.org/bugtraq/2019/Oct/0"
        },
        {
          "name": "DSA-4539",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4539"
        },
        {
          "name": "DSA-4540",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4540"
        },
        {
          "name": "openSUSE-SU-2019:2268",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"
        },
        {
          "name": "openSUSE-SU-2019:2269",
          "tags": [
            "vendor-advisory"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"
        },
        {
          "name": "GLSA-201911-04",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://security.gentoo.org/glsa/201911-04"
        },
        {
          "name": "USN-4376-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4376-1/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
        },
        {
          "url": "https://www.tenable.com/security/tns-2019-08"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "url": "https://www.openssl.org/news/secadv/20190910.txt"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46"
        },
        {
          "url": "https://arxiv.org/abs/1909.01785"
        },
        {
          "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"
        },
        {
          "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS"
        },
        {
          "url": "https://www.tenable.com/security/tns-2019-09"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20200122-0002/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20200416-0003/"
        },
        {
          "name": "USN-4376-2",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4376-2/"
        },
        {
          "name": "USN-4504-1",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://usn.ubuntu.com/4504-1/"
        },
        {
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
        }
      ],
      "title": "ECDSA remote timing attack"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2019-1547",
    "datePublished": "2019-09-10T16:58:35.307121Z",
    "dateReserved": "2018-11-28T00:00:00",
    "dateUpdated": "2024-09-16T16:33:05.874Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-1547\",\"sourceIdentifier\":\"openssl-security@openssl.org\",\"published\":\"2019-09-10T17:15:11.750\",\"lastModified\":\"2024-11-21T04:36:48.160\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).\"},{\"lang\":\"es\",\"value\":\"Normalmente en los grupos EC de OpenSSL siempre tienen un cofactor presente y este es usado en rutas de c\u00f3digo resistentes a canales laterales. Sin embargo, en ciertos casos, es posible construir un grupo usando par\u00e1metros expl\u00edcitos (en lugar de usar una curva nombrada). En esos casos, es posible que dicho grupo no tenga el cofactor presente. Esto puede ocurrir incluso cuando todos los par\u00e1metros coinciden con una curva de nombre conocido. Si es utilizada dicha curva, entonces OpenSSL recurre a rutas de c\u00f3digo resistentes a canales no laterales lo que puede resultar en una recuperaci\u00f3n de clave completa durante una operaci\u00f3n de firma ECDSA. Para que sea vulnerable, un atacante tendr\u00eda que tener la capacidad de cronometrar la creaci\u00f3n de un gran n\u00famero de firmas donde par\u00e1metros expl\u00edcitos sin cofactor presente est\u00e1n en uso mediante una aplicaci\u00f3n que utiliza libcrypto. Para evitar dudas, libssl no es vulnerable porque nunca se utilizan par\u00e1metros expl\u00edcitos. Corregido en OpenSSL versi\u00f3n 1.1.1d (afectada la versi\u00f3n 1.1.1-1.1.1c). Corregido en OpenSSL versi\u00f3n 1.1.0l (afectada la versi\u00f3n 1.1.0-1.1.0k). Corregida en OpenSSL versi\u00f3n 1.0.2t (afectada la versi\u00f3n 1.0.2-1.0.2s).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":4.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:N/A:N\",\"baseScore\":1.9,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.4,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0.2\",\"versionEndIncluding\":\"1.0.2s\",\"matchCriteriaId\":\"0DAC8B94-3674-4E4B-9BB0-A16CA0197885\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.0\",\"versionEndIncluding\":\"1.1.0k\",\"matchCriteriaId\":\"65728FC6-4B4F-4D43-872B-BE1133BB2281\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.1.1\",\"versionEndIncluding\":\"1.1.1c\",\"matchCriteriaId\":\"A2ACA227-3992-478E-85C3-023D8AF88A08\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://arxiv.org/abs/1909.01785\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/Oct/0\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/Oct/1\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://seclists.org/bugtraq/2019/Sep/25\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201911-04\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20190919-0002/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200122-0002/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200416-0003/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://usn.ubuntu.com/4376-1/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://usn.ubuntu.com/4376-2/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://usn.ubuntu.com/4504-1/\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.debian.org/security/2019/dsa-4539\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.debian.org/security/2019/dsa-4540\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.openssl.org/news/secadv/20190910.txt\",\"source\":\"openssl-security@openssl.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2020.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.tenable.com/security/tns-2019-08\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"https://www.tenable.com/security/tns-2019-09\",\"source\":\"openssl-security@openssl.org\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://arxiv.org/abs/1909.01785\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10365\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/Oct/0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/Oct/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://seclists.org/bugtraq/2019/Sep/25\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/201911-04\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20190919-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200122-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20200416-0003/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240621-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://support.f5.com/csp/article/K73422160?utm_source=f5support\u0026amp%3Butm_medium=RSS\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4376-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4376-2/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://usn.ubuntu.com/4504-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2019/dsa-4539\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2019/dsa-4540\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.openssl.org/news/secadv/20190910.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuapr2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.tenable.com/security/tns-2019-08\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.tenable.com/security/tns-2019-09\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.