{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-1547", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "assignerShortName": "openssl", "dateUpdated": "2024-09-16T16:33:05.874Z", "dateReserved": "2018-11-28T00:00:00", "datePublished": "2019-09-10T16:58:35.307121Z"}, "containers": {"cna": {"title": "ECDSA remote timing attack", "datePublic": "2019-09-10T00:00:00", "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2024-06-21T19:06:30.909094"}, "descriptions": [{"lang": "en", "value": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."}], "affected": [{"vendor": "OpenSSL", "product": "OpenSSL", "versions": [{"version": "Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)", "status": "affected"}, {"version": "Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)", "status": "affected"}, {"version": "Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)", "status": "affected"}]}], "references": [{"name": "20190912 [slackware-security] openssl (SSA:2019-254-03)", "tags": ["mailing-list"], "url": "https://seclists.org/bugtraq/2019/Sep/25"}, {"name": "openSUSE-SU-2019:2158", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"}, {"name": "FEDORA-2019-d15aac6c4e", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"}, {"name": "openSUSE-SU-2019:2189", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"}, {"name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"}, {"name": "FEDORA-2019-d51641f152", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"}, {"name": "20191001 [SECURITY] [DSA 4539-1] openssl security update", "tags": ["mailing-list"], "url": "https://seclists.org/bugtraq/2019/Oct/1"}, {"name": "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update", "tags": ["mailing-list"], "url": "https://seclists.org/bugtraq/2019/Oct/0"}, {"name": "DSA-4539", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2019/dsa-4539"}, {"name": "DSA-4540", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2019/dsa-4540"}, {"name": "openSUSE-SU-2019:2268", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"}, {"name": "openSUSE-SU-2019:2269", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"}, {"name": "GLSA-201911-04", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/201911-04"}, {"name": "USN-4376-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4376-1/"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"url": "https://www.tenable.com/security/tns-2019-08"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"url": "https://www.openssl.org/news/secadv/20190910.txt"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46"}, {"url": "https://arxiv.org/abs/1909.01785"}, {"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"}, {"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"}, {"url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS"}, {"url": "https://www.tenable.com/security/tns-2019-09"}, {"url": "https://security.netapp.com/advisory/ntap-20200122-0002/"}, {"url": "https://security.netapp.com/advisory/ntap-20200416-0003/"}, {"name": "USN-4376-2", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4376-2/"}, {"name": "USN-4504-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4504-1/"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "credits": [{"lang": "en", "value": "Cesar Pereida Garc\u00eda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley"}], "metrics": [{"other": {"content": {"lang": "eng", "url": "https://www.openssl.org/policies/secpolicy.html#Low", "value": "Low"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Timing side channel"}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-19T19:04:18.544630Z", "id": "CVE-2019-1547", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T19:04:25.516Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T18:20:28.292Z"}, "title": "CVE Program Container", "references": [{"name": "20190912 [slackware-security] openssl (SSA:2019-254-03)", "tags": ["mailing-list", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Sep/25"}, {"name": "openSUSE-SU-2019:2158", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"}, {"name": "FEDORA-2019-d15aac6c4e", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"}, {"name": "openSUSE-SU-2019:2189", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"}, {"name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"}, {"name": "FEDORA-2019-d51641f152", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"}, {"name": "20191001 [SECURITY] [DSA 4539-1] openssl security update", "tags": ["mailing-list", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Oct/1"}, {"name": "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Oct/0"}, {"name": "DSA-4539", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4539"}, {"name": "DSA-4540", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4540"}, {"name": "openSUSE-SU-2019:2268", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"}, {"name": "openSUSE-SU-2019:2269", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"}, {"name": "GLSA-201911-04", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/201911-04"}, {"name": "USN-4376-1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4376-1/"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/security/tns-2019-08", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "tags": ["x_transferred"]}, {"url": "https://www.openssl.org/news/secadv/20190910.txt", "tags": ["x_transferred"]}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8", "tags": ["x_transferred"]}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", "tags": ["x_transferred"]}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46", "tags": ["x_transferred"]}, {"url": "https://arxiv.org/abs/1909.01785", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20190919-0002/", "tags": ["x_transferred"]}, {"url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/security/tns-2019-09", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20200122-0002/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20200416-0003/", "tags": ["x_transferred"]}, {"name": "USN-4376-2", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4376-2/"}, {"name": "USN-4504-1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4504-1/"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "tags": ["x_transferred"]}, {"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://seclists.org/bugtraq/2019/Sep/25", "name": "20190912 [slackware-security] openssl (SSA:2019-254-03)", "tags": ["mailing-list", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html", "name": "openSUSE-SU-2019:2158", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/", "name": "FEDORA-2019-d15aac6c4e", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html", "name": "openSUSE-SU-2019:2189", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html", "name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/", "name": "FEDORA-2019-d51641f152", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://seclists.org/bugtraq/2019/Oct/1", "name": "20191001 [SECURITY] [DSA 4539-1] openssl security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://seclists.org/bugtraq/2019/Oct/0", "name": "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://www.debian.org/security/2019/dsa-4539", "name": "DSA-4539", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://www.debian.org/security/2019/dsa-4540", "name": "DSA-4540", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html", "name": "openSUSE-SU-2019:2268", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html", "name": "openSUSE-SU-2019:2269", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.gentoo.org/glsa/201911-04", "name": "GLSA-201911-04", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://usn.ubuntu.com/4376-1/", "name": "USN-4376-1", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/security/tns-2019-08", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "tags": ["x_transferred"]}, {"url": "https://www.openssl.org/news/secadv/20190910.txt", "tags": ["x_transferred"]}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8", "tags": ["x_transferred"]}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a", "tags": ["x_transferred"]}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46", "tags": ["x_transferred"]}, {"url": "https://arxiv.org/abs/1909.01785", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20190919-0002/", "tags": ["x_transferred"]}, {"url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS", "tags": ["x_transferred"]}, {"url": "https://www.tenable.com/security/tns-2019-09", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20200122-0002/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20200416-0003/", "tags": ["x_transferred"]}, {"url": "https://usn.ubuntu.com/4376-2/", "name": "USN-4376-2", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://usn.ubuntu.com/4504-1/", "name": "USN-4504-1", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "tags": ["x_transferred"]}, {"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T18:20:28.292Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-1547", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-19T19:04:18.544630Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-19T19:04:22.599Z"}}], "cna": {"title": "ECDSA remote timing attack", "credits": [{"lang": "en", "value": "Cesar Pereida Garc\u00eda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley"}], "metrics": [{"other": {"type": "unknown", "content": {"url": "https://www.openssl.org/policies/secpolicy.html#Low", "lang": "eng", "value": "Low"}}}], "affected": [{"vendor": "OpenSSL", "product": "OpenSSL", "versions": [{"status": "affected", "version": "Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)"}, {"status": "affected", "version": "Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k)"}, {"status": "affected", "version": "Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)"}]}], "datePublic": "2019-09-10T00:00:00", "references": [{"url": "https://seclists.org/bugtraq/2019/Sep/25", "name": "20190912 [slackware-security] openssl (SSA:2019-254-03)", "tags": ["mailing-list"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html", "name": "openSUSE-SU-2019:2158", "tags": ["vendor-advisory"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/", "name": "FEDORA-2019-d15aac6c4e", "tags": ["vendor-advisory"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html", "name": "openSUSE-SU-2019:2189", "tags": ["vendor-advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html", "name": "[debian-lts-announce] 20190925 [SECURITY] [DLA 1932-1] openssl security update", "tags": ["mailing-list"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/", "name": "FEDORA-2019-d51641f152", "tags": ["vendor-advisory"]}, {"url": "https://seclists.org/bugtraq/2019/Oct/1", "name": "20191001 [SECURITY] [DSA 4539-1] openssl security update", "tags": ["mailing-list"]}, {"url": "https://seclists.org/bugtraq/2019/Oct/0", "name": "20191001 [SECURITY] [DSA 4540-1] openssl1.0 security update", "tags": ["mailing-list"]}, {"url": "https://www.debian.org/security/2019/dsa-4539", "name": "DSA-4539", "tags": ["vendor-advisory"]}, {"url": "https://www.debian.org/security/2019/dsa-4540", "name": "DSA-4540", "tags": ["vendor-advisory"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html", "name": "openSUSE-SU-2019:2268", "tags": ["vendor-advisory"]}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html", "name": "openSUSE-SU-2019:2269", "tags": ["vendor-advisory"]}, {"url": "https://security.gentoo.org/glsa/201911-04", "name": "GLSA-201911-04", "tags": ["vendor-advisory"]}, {"url": "https://usn.ubuntu.com/4376-1/", "name": "USN-4376-1", "tags": ["vendor-advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"url": "https://www.tenable.com/security/tns-2019-08"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"url": "https://www.openssl.org/news/secadv/20190910.txt"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"}, {"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46"}, {"url": "https://arxiv.org/abs/1909.01785"}, {"url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"}, {"url": "https://security.netapp.com/advisory/ntap-20190919-0002/"}, {"url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS"}, {"url": "https://www.tenable.com/security/tns-2019-09"}, {"url": "https://security.netapp.com/advisory/ntap-20200122-0002/"}, {"url": "https://security.netapp.com/advisory/ntap-20200416-0003/"}, {"url": "https://usn.ubuntu.com/4376-2/", "name": "USN-4376-2", "tags": ["vendor-advisory"]}, {"url": "https://usn.ubuntu.com/4504-1/", "name": "USN-4504-1", "tags": ["vendor-advisory"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}, {"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}], "descriptions": [{"lang": "en", "value": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Timing side channel"}]}], "providerMetadata": {"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "shortName": "openssl", "dateUpdated": "2024-06-21T19:06:30.909094"}}}, "cveMetadata": {"cveId": "CVE-2019-1547", "state": "PUBLISHED", "dateUpdated": "2024-09-16T16:33:05.874Z", "dateReserved": "2018-11-28T00:00:00", "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5", "datePublished": "2019-09-10T16:58:35.307121Z", "assignerShortName": "openssl"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DAC8B94-3674-4E4B-9BB0-A16CA0197885", "versionEndIncluding": "1.0.2s", "versionStartIncluding": "1.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "65728FC6-4B4F-4D43-872B-BE1133BB2281", "versionEndIncluding": "1.1.0k", "versionStartIncluding": "1.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2ACA227-3992-478E-85C3-023D8AF88A08", "versionEndIncluding": "1.1.1c", "versionStartIncluding": "1.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."}, {"lang": "es", "value": "Normalmente en los grupos EC de OpenSSL siempre tienen un cofactor presente y este es usado en rutas de c\u00f3digo resistentes a canales laterales. Sin embargo, en ciertos casos, es posible construir un grupo usando par\u00e1metros expl\u00edcitos (en lugar de usar una curva nombrada). En esos casos, es posible que dicho grupo no tenga el cofactor presente. Esto puede ocurrir incluso cuando todos los par\u00e1metros coinciden con una curva de nombre conocido. Si es utilizada dicha curva, entonces OpenSSL recurre a rutas de c\u00f3digo resistentes a canales no laterales lo que puede resultar en una recuperaci\u00f3n de clave completa durante una operaci\u00f3n de firma ECDSA. Para que sea vulnerable, un atacante tendr\u00eda que tener la capacidad de cronometrar la creaci\u00f3n de un gran n\u00famero de firmas donde par\u00e1metros expl\u00edcitos sin cofactor presente est\u00e1n en uso mediante una aplicaci\u00f3n que utiliza libcrypto. Para evitar dudas, libssl no es vulnerable porque nunca se utilizan par\u00e1metros expl\u00edcitos. Corregido en OpenSSL versi\u00f3n 1.1.1d (afectada la versi\u00f3n 1.1.1-1.1.1c). Corregido en OpenSSL versi\u00f3n 1.1.0l (afectada la versi\u00f3n 1.1.0-1.1.0k). Corregida en OpenSSL versi\u00f3n 1.0.2t (afectada la versi\u00f3n 1.0.2-1.0.2s)."}], "id": "CVE-2019-1547", "lastModified": "2024-06-21T19:15:15.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-09-10T17:15:11.750", "references": [{"source": "openssl-security@openssl.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html"}, {"source": "openssl-security@openssl.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html"}, {"source": "openssl-security@openssl.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html"}, {"source": "openssl-security@openssl.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html"}, {"source": "openssl-security@openssl.org", "url": "http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html"}, {"source": "openssl-security@openssl.org", "tags": ["Third Party Advisory"], "url": "https://arxiv.org/abs/1909.01785"}, {"source": "openssl-security@openssl.org", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46"}, {"source": "openssl-security@openssl.org", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8"}, {"source": "openssl-security@openssl.org", "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a"}, {"source": "openssl-security@openssl.org", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10365"}, {"source": "openssl-security@openssl.org", "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html"}, {"source": "openssl-security@openssl.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/"}, {"source": "openssl-security@openssl.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/"}, {"source": "openssl-security@openssl.org", "url": "https://seclists.org/bugtraq/2019/Oct/0"}, {"source": "openssl-security@openssl.org", "url": "https://seclists.org/bugtraq/2019/Oct/1"}, {"source": "openssl-security@openssl.org", "tags": ["Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Sep/25"}, {"source": "openssl-security@openssl.org", "url": "https://security.gentoo.org/glsa/201911-04"}, {"source": "openssl-security@openssl.org", "url": "https://security.netapp.com/advisory/ntap-20190919-0002/"}, {"source": "openssl-security@openssl.org", "url": "https://security.netapp.com/advisory/ntap-20200122-0002/"}, {"source": "openssl-security@openssl.org", "url": "https://security.netapp.com/advisory/ntap-20200416-0003/"}, {"source": "openssl-security@openssl.org", "url": "https://security.netapp.com/advisory/ntap-20240621-0006/"}, {"source": "openssl-security@openssl.org", "url": "https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS"}, {"source": "openssl-security@openssl.org", "url": "https://usn.ubuntu.com/4376-1/"}, {"source": "openssl-security@openssl.org", "url": "https://usn.ubuntu.com/4376-2/"}, {"source": "openssl-security@openssl.org", "url": "https://usn.ubuntu.com/4504-1/"}, {"source": "openssl-security@openssl.org", "url": "https://www.debian.org/security/2019/dsa-4539"}, {"source": "openssl-security@openssl.org", "url": "https://www.debian.org/security/2019/dsa-4540"}, {"source": "openssl-security@openssl.org", "tags": ["Vendor Advisory"], "url": "https://www.openssl.org/news/secadv/20190910.txt"}, {"source": "openssl-security@openssl.org", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"source": "openssl-security@openssl.org", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "openssl-security@openssl.org", "url": "https://www.oracle.com/security-alerts/cpujul2020.html"}, {"source": "openssl-security@openssl.org", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"}, {"source": "openssl-security@openssl.org", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}, {"source": "openssl-security@openssl.org", "url": "https://www.tenable.com/security/tns-2019-08"}, {"source": "openssl-security@openssl.org", "url": "https://www.tenable.com/security/tns-2019-09"}], "sourceIdentifier": "openssl-security@openssl.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:1336", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "openssl", "product_name": "JBoss Core Services Apache HTTP Server 2.4.37 SP2", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-apr-0:1.6.3-86.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el6", "package": "jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el6", "product_name": "JBoss Core Services on RHEL 6", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-apr-0:1.6.3-86.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-brotli-0:1.0.6-21.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.37-52.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_cluster-native-0:1.3.12-41.Final_redhat_2.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.11.3-22.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1337", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-openssl-1:1.1.1c-16.jbcs.el7", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2020-04-06T00:00:00Z"}, {"advisory": "RHSA-2020:1840", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "openssl-1:1.1.1c-15.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}], "bugzilla": {"description": "openssl: side-channel weak encryption vulnerability", "id": "1752090", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1752090"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-602", "details": ["Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)."], "name": "CVE-2019-1547", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "openssl", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "openssl098e", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "compat-openssl10", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mingw-openssl", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:2", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat JBoss Enterprise Web Server 2"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Out of support scope", "package_name": "openssl", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "openssl", "product_name": "Red Hat JBoss Web Server 5"}], "public_date": "2019-09-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-1547\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1547"], "statement": "As per upstream: In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. Also libssl is not vulnerable because explicit parameters are never used.", "threat_severity": "Moderate"}