CVE-2019-1547
Description
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Risk Information
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2019-1563,CVE-2019-1547,CVE-2019-1552 are fixed in OpenSSL (x64) 1.0.2t | Windows |
| Vulnerabilities CVE-2019-1563,CVE-2019-1547,CVE-2019-1552 are fixed in OpenSSL (x64) 1.1.0l | Windows |
| Vulnerabilities CVE-2019-1563,CVE-2019-1549,CVE-2019-1547,CVE-2019-1552 are fixed in OpenSSL (x64) 1.1.1d | Windows |
| Multiple vulnerabilities affected in Mysql 5.6.21 | Windows |
| Multiple vulnerabilities affected in Mysql 5.6.22 | Windows |
| Multiple vulnerabilities affected in Mysql 5.6.23 | Windows |
| Multiple vulnerabilities affected in Mysql 5.6.24 | Windows |
| Multiple vulnerabilities affected in Mysql 5.6.25 | Windows |
| Multiple vulnerabilities affected in Mysql 5.6.26 | Windows |
| Multiple vulnerabilities affected in Mysql 5.6.35 | Windows |
| Multiple vulnerabilities affected in Mysql 5.6.9 | Windows |
| Multiple Vulnerabilities are affected in Mysql 8.0.18 | Windows |
| Vulnerabilities CVE-2019-1547,CVE-2020-2579 are affected in Mysql 5.6.46 | Windows |
| Multiple vulnerabilities are affected in Mysql 5.7.26 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.1.7 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 11.2.4 | Windows |
| Multiple Vulnerabilities are affected in IBM Cognos Analytics 12.0.1 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.56 | Windows |
| Multiple vulnerabilities are affected in Oracle PeopleSoft Enterprise PeopleTools 8.57 | Windows |
| Vulnerabilities CVE-2019-1547,CVE-2019-1552,CVE-2019-1563,CVE-2019-4726 are affected in IBM Sterling B2B Integrator 6.0.3.0 | Windows |
| openssl security update(DSA-4539-1) openssl_1.1.0l-1~deb9u1_i386.deb | Linux |
| openssl security update(DSA-4539-1) openssl_1.1.0l-1~deb9u1_amd64.deb | Linux |
| openssl security update(DSA-4539-1) openssl_1.1.1d-0+deb10u1_amd64.deb | Linux |
| SUSE-SU-2019:2558-1(SUSE Linux Enterprise Desktop 12-SP4 ) compat-openssl098-debugsource-0.9.8j-106.15.1.x86_64.rpm | Linux |
| SUSE-SU-2019:2558-1(SUSE Linux Enterprise Desktop 12-SP4 ) libopenssl0_9_8-0.9.8j-106.15.1.x86_64.rpm | Linux |
| SUSE-SU-2019:2558-1(SUSE Linux Enterprise Desktop 12-SP4 ) libopenssl0_9_8-32bit-0.9.8j-106.15.1.x86_64.rpm | Linux |
| SUSE-SU-2019:2558-1(SUSE Linux Enterprise Desktop 12-SP4 ) libopenssl0_9_8-debuginfo-0.9.8j-106.15.1.x86_64.rpm | Linux |
| SUSE-SU-2019:2558-1(SUSE Linux Enterprise Desktop 12-SP4 ) libopenssl0_9_8-debuginfo-32bit-0.9.8j-106.15.1.x86_64.rpm | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4376-1) libssl1.1_1.1.1c-1ubuntu4.1_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4376-1) libssl1.1_1.1.1c-1ubuntu4.1_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4376-1) libssl1.1_1.1.1-1ubuntu2.1~18.04.6_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4376-1) libssl1.1_1.1.1-1ubuntu2.1~18.04.6_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4376-1) libssl1.0.0_1.0.2g-1ubuntu4.16_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4376-1) libssl1.0.0_1.0.2g-1ubuntu4.16_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4504-1) libssl1.0.0_1.0.2n-1ubuntu5.4_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4504-1) libssl1.0.0_1.0.2n-1ubuntu5.4_amd64.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4504-1) libssl1.0.0_1.0.2g-1ubuntu4.17_i386.deb | Linux |
| Secure Socket Layer (SSL) cryptographic library and tools (USN-4504-1) libssl1.0.0_1.0.2g-1ubuntu4.17_amd64.deb | Linux |
| Multiple vulnerabilities affected in Mysql 5.6.21 (For Linux) | Linux |
| Multiple vulnerabilities affected in Mysql 5.6.22 (For Linux) | Linux |
| Multiple vulnerabilities affected in Mysql 5.6.23 (For Linux) | Linux |
| Multiple vulnerabilities affected in Mysql 5.6.24 (For Linux) | Linux |
| Multiple vulnerabilities affected in Mysql 5.6.25 (For Linux) | Linux |
| Multiple vulnerabilities affected in Mysql 5.6.26 (For Linux) | Linux |
| Multiple vulnerabilities affected in Mysql 5.6.35 (For Linux) | Linux |
| Multiple vulnerabilities affected in Mysql 5.6.9 (For Linux) | Linux |
| CVE-2019-1547 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234