what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 13 of 13 RSS Feed

CVE-2019-1547

Status Candidate

Overview

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Related Files

Ubuntu Security Notice USN-4504-1
Posted Sep 16, 2020
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 4504-1 - Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites from OpenSSL. Cesar Pereida GarcĂ­a, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. This issue only affected Ubuntu 18.04 LTS. Various other issues were also addressed.

tags | advisory, remote
systems | linux, ubuntu
advisories | CVE-2019-1547, CVE-2019-1551, CVE-2019-1563, CVE-2020-1968
SHA-256 | a453c91247c0c8b05f0a70b1a3674ee04e7e21eea70c71f8885d6de34ed4c9a3
Red Hat Security Advisory 2020-3194-01
Posted Jul 29, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-3194-01 - OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. Issues addressed include a man-in-the-middle vulnerability.

tags | advisory
systems | linux, redhat
advisories | CVE-2018-14404, CVE-2018-18074, CVE-2018-19519, CVE-2018-20060, CVE-2018-20337, CVE-2018-20852, CVE-2018-7263, CVE-2018-9251, CVE-2019-1010180, CVE-2019-1010204, CVE-2019-11236, CVE-2019-11324, CVE-2019-12447, CVE-2019-12448, CVE-2019-12449, CVE-2019-13232, CVE-2019-13752, CVE-2019-13753, CVE-2019-14563, CVE-2019-14822, CVE-2019-1547, CVE-2019-1549, CVE-2019-1563, CVE-2019-15847, CVE-2019-16056, CVE-2019-17451
SHA-256 | ab12a5414b74ae4ec0875438bd155092413bb637cd1033a63c83f8057805a037
Ubuntu Security Notice USN-4376-2
Posted Jul 9, 2020
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 4376-2 - USN-4376-1 fixed several vulnerabilities in OpenSSL. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Cesar Pereida Garc

tags | advisory, vulnerability
systems | linux, ubuntu
advisories | CVE-2019-1547, CVE-2019-1559, CVE-2019-1563
SHA-256 | 5445679b64468007bee163d47a758be2917c993483dd87c18672525db8c01ce2
Ubuntu Security Notice USN-4376-1
Posted May 28, 2020
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 4376-1 - It was discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. Matt Caswell discovered that OpenSSL incorrectly handled the random number generator. This may result in applications that use the fork system call sharing the same RNG state between the parent and the child, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, CVE-2019-1563
SHA-256 | e20de866e28c83e8f20de501782e4da4bf3f8fcaa6fcfbdc5b5e842700cd1f27
Red Hat Security Advisory 2020-1840-01
Posted Apr 28, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-1840-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Issues addressed include an information leakage vulnerability.

tags | advisory, protocol
systems | linux, redhat
advisories | CVE-2019-1547, CVE-2019-1549, CVE-2019-1563
SHA-256 | 179c450f5486128e09d227d463e27144c9b0b365175069306e8100d7c94d5fe9
Red Hat Security Advisory 2020-1337-01
Posted Apr 7, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-1337-01 - This release adds the new Apache HTTP Server 2.4.37 Service Pack 2 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 1 and includes bug fixes and enhancements. Issues addressed include cross site scripting and information leakage vulnerabilities.

tags | advisory, web, vulnerability, xss
systems | linux, redhat
advisories | CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098, CVE-2019-1547, CVE-2019-1549, CVE-2019-1563
SHA-256 | f5fa6f7bb5d7a7d309a8775da86642e1bf6dd537d5dd050f80f0f912e8b85506
Red Hat Security Advisory 2020-1336-01
Posted Apr 7, 2020
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2020-1336-01 - Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 Service Pack 2 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 1 and includes bug fixes and enhancements. Issues addressed include cross site scripting and information leakage vulnerabilities.

tags | advisory, web, vulnerability, xss
systems | linux, redhat
advisories | CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097, CVE-2019-10098, CVE-2019-1547, CVE-2019-1549, CVE-2019-1563
SHA-256 | 5898d1e008b3119bd09596bf525e8c009122f59f9884463cf27a8b718a6c7d0a
Gentoo Linux Security Advisory 201911-04
Posted Nov 8, 2019
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201911-4 - Multiple information disclosure vulnerabilities in OpenSSL allow attackers to obtain sensitive information. Versions less than 1.0.2t are affected.

tags | advisory, vulnerability, info disclosure
systems | linux, gentoo
advisories | CVE-2019-1547, CVE-2019-1563
SHA-256 | d0d2808bdb7b5e21d54dc5b11536556321445e4a171cd058a9f69980dbaca635
Debian Security Advisory 4539-1
Posted Oct 2, 2019
Authored by Debian | Site debian.org

Debian Linux Security Advisory 4539-1 - ECDSA, a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey() and it was discovered that a feature of the random number generator (RNG) intended to protect against shared RNG state between parent and child processes in the event of a fork() syscall was not used by default.

tags | advisory
systems | linux, debian
advisories | CVE-2019-1547, CVE-2019-1549, CVE-2019-1563
SHA-256 | bfbb11b91e11daa3793311922876b6211bfc3e40e8f82df31993c0acb0429b23
Debian Security Advisory 4540-1
Posted Oct 2, 2019
Authored by Debian | Site debian.org

Debian Linux Security Advisory 4540-1 - ECDSA and a padding oracle in PKCS7_dataDecode() and CMS_decrypt_set1_pkey().

tags | advisory
systems | linux, debian
advisories | CVE-2019-1547, CVE-2019-1563
SHA-256 | f3033555a194c2428e7bd4789ca5524ae13ff89d1b725256de9800a4f91a63ee
Slackware Security Advisory - openssl Updates
Posted Sep 12, 2019
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New openssl packages are available for Slackware 14.2 and -current to fix security issues.

tags | advisory
systems | linux, slackware
advisories | CVE-2019-1547, CVE-2019-1563
SHA-256 | fe19426b23027a70690a4af7eb2f175ccf43a3c6e29a2239b5251501fe492c0a
OpenSSL Toolkit 1.1.1d
Posted Sep 11, 2019
Site openssl.org

OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.

Changes: Fixed a fork protection issue. Added a bypass mitigation. Various other updates.
tags | tool, encryption, protocol
systems | unix
advisories | CVE-2019-1547, CVE-2019-1549, CVE-2019-1552, CVE-2019-1563
SHA-256 | 1e3a91bc1f9dfce01af26026f856e064eab4c8ee0a8f457b5ae30b40b8b711f2
OpenSSL Security Advisory 20190910
Posted Sep 10, 2019
Site openssl.org

OpenSSL Security Advisory 20190910 - Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. Other issues were also addressed.

tags | advisory
advisories | CVE-2019-1547, CVE-2019-1549, CVE-2019-1563
SHA-256 | 9aabd4d3854b3b34e811a20f6d073061497a1f35b60c234fd00725cb1cb66a77
Page 1 of 1
Back1Next

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close