usn-4376-2
Vulnerability from osv_ubuntu
Published
2020-07-09 17:41
Modified
2026-04-27 14:11
Summary
openssl vulnerabilities
Details

USN-4376-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.

Original advisory details:

Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. (CVE-2019-1547)

Juraj Somorovsky, Robert Merget, and Nimrod Aviram discovered that certain applications incorrectly used OpenSSL and could be exposed to a padding oracle attack. A remote attacker could possibly use this issue to decrypt data. (CVE-2019-1559)

Bernd Edlinger discovered that OpenSSL incorrectly handled certain decryption functions. In certain scenarios, a remote attacker could possibly use this issue to perform a padding oracle attack and decrypt traffic. (CVE-2019-1563)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2019-1547",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2019-1559",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2019-1563",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "low",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:Pro:14.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "libssl1.0.0",
            "binary_version": "1.0.1f-1ubuntu2.27+esm1"
          },
          {
            "binary_name": "openssl",
            "binary_version": "1.0.1f-1ubuntu2.27+esm1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:14.04:LTS",
        "name": "openssl",
        "purl": "pkg:deb/ubuntu/openssl@1.0.1f-1ubuntu2.27+esm1?arch=source\u0026distro=trusty/esm"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1f-1ubuntu2.27+esm1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0.1e-3ubuntu1",
        "1.0.1e-4ubuntu1",
        "1.0.1e-4ubuntu2",
        "1.0.1e-4ubuntu3",
        "1.0.1e-4ubuntu4",
        "1.0.1f-1ubuntu1",
        "1.0.1f-1ubuntu2",
        "1.0.1f-1ubuntu2.1",
        "1.0.1f-1ubuntu2.2",
        "1.0.1f-1ubuntu2.3",
        "1.0.1f-1ubuntu2.4",
        "1.0.1f-1ubuntu2.5",
        "1.0.1f-1ubuntu2.7",
        "1.0.1f-1ubuntu2.8",
        "1.0.1f-1ubuntu2.11",
        "1.0.1f-1ubuntu2.12",
        "1.0.1f-1ubuntu2.15",
        "1.0.1f-1ubuntu2.16",
        "1.0.1f-1ubuntu2.17",
        "1.0.1f-1ubuntu2.18",
        "1.0.1f-1ubuntu2.19",
        "1.0.1f-1ubuntu2.20",
        "1.0.1f-1ubuntu2.21",
        "1.0.1f-1ubuntu2.22",
        "1.0.1f-1ubuntu2.23",
        "1.0.1f-1ubuntu2.24",
        "1.0.1f-1ubuntu2.25",
        "1.0.1f-1ubuntu2.26",
        "1.0.1f-1ubuntu2.27"
      ]
    }
  ],
  "aliases": [],
  "details": "USN-4376-1 fixed several vulnerabilities in OpenSSL. This update provides\nthe corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM.\n\nOriginal advisory details:\n\n Cesar Pereida Garc\u00eda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,\n Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL\n incorrectly handled ECDSA signatures. An attacker could possibly use this\n issue to perform a timing side-channel attack and recover private ECDSA\n keys. (CVE-2019-1547)\n\n Juraj Somorovsky, Robert Merget, and Nimrod Aviram discovered that certain\n applications incorrectly used OpenSSL and could be exposed to a padding\n oracle attack. A remote attacker could possibly use this issue to decrypt\n data. (CVE-2019-1559)\n\n Bernd Edlinger discovered that OpenSSL incorrectly handled certain\n decryption functions. In certain scenarios, a remote attacker could\n possibly use this issue to perform a padding oracle attack and decrypt\n traffic. (CVE-2019-1563)\n",
  "id": "USN-4376-2",
  "modified": "2026-04-27T14:11:25Z",
  "published": "2020-07-09T17:41:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-4376-2"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2019-1547"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2019-1559"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2019-1563"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "openssl vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2019-1547",
    "UBUNTU-CVE-2019-1559",
    "UBUNTU-CVE-2019-1563"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…