usn-4376-1
Vulnerability from osv_ubuntu
Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. (CVE-2019-1547)
Matt Caswell discovered that OpenSSL incorrectly handled the random number generator (RNG). This may result in applications that use the fork() system call sharing the same RNG state between the parent and the child, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-1549)
Guido Vranken discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure. While unlikely, a remote attacker could possibly use this issue to recover private keys. (CVE-2019-1551)
Bernd Edlinger discovered that OpenSSL incorrectly handled certain decryption functions. In certain scenarios, a remote attacker could possibly use this issue to perform a padding oracle attack and decrypt traffic. (CVE-2019-1563)
{
"affected": [
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2019-1547",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-1551",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-1563",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:16.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libssl1.0.0",
"binary_version": "1.0.2g-1ubuntu4.16"
},
{
"binary_name": "openssl",
"binary_version": "1.0.2g-1ubuntu4.16"
}
]
},
"package": {
"ecosystem": "Ubuntu:16.04:LTS",
"name": "openssl",
"purl": "pkg:deb/ubuntu/openssl@1.0.2g-1ubuntu4.16?arch=source\u0026distro=xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.2g-1ubuntu4.16"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.2d-0ubuntu1",
"1.0.2d-0ubuntu2",
"1.0.2e-1ubuntu1",
"1.0.2f-2ubuntu1",
"1.0.2g-1ubuntu2",
"1.0.2g-1ubuntu3",
"1.0.2g-1ubuntu4",
"1.0.2g-1ubuntu4.1",
"1.0.2g-1ubuntu4.2",
"1.0.2g-1ubuntu4.4",
"1.0.2g-1ubuntu4.5",
"1.0.2g-1ubuntu4.6",
"1.0.2g-1ubuntu4.8",
"1.0.2g-1ubuntu4.9",
"1.0.2g-1ubuntu4.10",
"1.0.2g-1ubuntu4.11",
"1.0.2g-1ubuntu4.12",
"1.0.2g-1ubuntu4.13",
"1.0.2g-1ubuntu4.14",
"1.0.2g-1ubuntu4.15"
]
},
{
"database_specific": {
"cves_map": {
"cves": [
{
"id": "CVE-2019-1547",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-1549",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-1551",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
},
{
"id": "CVE-2019-1563",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "low",
"type": "Ubuntu"
}
]
}
],
"ecosystem": "Ubuntu:18.04:LTS"
}
},
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "libssl1.1",
"binary_version": "1.1.1-1ubuntu2.1~18.04.6"
},
{
"binary_name": "openssl",
"binary_version": "1.1.1-1ubuntu2.1~18.04.6"
}
]
},
"package": {
"ecosystem": "Ubuntu:18.04:LTS",
"name": "openssl",
"purl": "pkg:deb/ubuntu/openssl@1.1.1-1ubuntu2.1~18.04.6?arch=source\u0026distro=bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.1-1ubuntu2.1~18.04.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.2g-1ubuntu13",
"1.0.2g-1ubuntu14",
"1.0.2n-1ubuntu1",
"1.1.0g-2ubuntu1",
"1.1.0g-2ubuntu2",
"1.1.0g-2ubuntu3",
"1.1.0g-2ubuntu4",
"1.1.0g-2ubuntu4.1",
"1.1.0g-2ubuntu4.3",
"1.1.1-1ubuntu2.1~18.04.1",
"1.1.1-1ubuntu2.1~18.04.2",
"1.1.1-1ubuntu2.1~18.04.3",
"1.1.1-1ubuntu2.1~18.04.4",
"1.1.1-1ubuntu2.1~18.04.5"
]
}
],
"aliases": [],
"details": "Cesar Pereida Garc\u00eda, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin,\nAlejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL\nincorrectly handled ECDSA signatures. An attacker could possibly use this\nissue to perform a timing side-channel attack and recover private ECDSA\nkeys. (CVE-2019-1547)\n\nMatt Caswell discovered that OpenSSL incorrectly handled the random number\ngenerator (RNG). This may result in applications that use the fork() system\ncall sharing the same RNG state between the parent and the child, contrary\nto expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu\n19.10. (CVE-2019-1549)\n\nGuido Vranken discovered that OpenSSL incorrectly performed the x86_64\nMontgomery squaring procedure. While unlikely, a remote attacker could\npossibly use this issue to recover private keys. (CVE-2019-1551)\n\nBernd Edlinger discovered that OpenSSL incorrectly handled certain\ndecryption functions. In certain scenarios, a remote attacker could\npossibly use this issue to perform a padding oracle attack and decrypt\ntraffic. (CVE-2019-1563)\n",
"id": "USN-4376-1",
"modified": "2026-04-27T14:11:25Z",
"published": "2020-05-28T12:07:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-4376-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-1547"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-1549"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-1551"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2019-1563"
}
],
"related": [],
"schema_version": "1.7.0",
"summary": "openssl vulnerabilities",
"upstream": [
"UBUNTU-CVE-2019-1547",
"UBUNTU-CVE-2019-1549",
"UBUNTU-CVE-2019-1551",
"UBUNTU-CVE-2019-1563"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.