Vulnerability Details : CVE-2019-1551
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
Vulnerability category: Overflow
Products affected by CVE-2019-1551
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
- Oracle » Mysql Enterprise MonitorVersions from including (>=) 8.0.0 and up to, including, (<=) 8.0.20cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:tenable:log_correlation_engine:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-1551
1.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-1551
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2019-1551
-
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-1551
-
https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html
[SECURITY] [DLA 2952-1] openssl security updateMailing List;Third Party Advisory
-
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f
git.openssl.org Git - openssl.git/commitdiffMailing List;Patch;Third Party Advisory;Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html
[security-announce] openSUSE-SU-2020:0062-1: moderate: Security update fMailing List;Third Party Advisory
-
https://www.tenable.com/security/tns-2019-09
[R1] Tenable.sc 5.13.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://www.tenable.com/security/tns-2021-10
[R1] LCE 6.0.9 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html
Slackware Security Advisory - openssl Updates ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://usn.ubuntu.com/4376-1/
USN-4376-1: OpenSSL vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.tenable.com/security/tns-2020-03
[R1] Nessus Agent 7.6.3 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/
[SECURITY] Fedora 30 Update: openssl-1.1.1g-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4594
Debian -- Security Information -- DSA-4594-1 openssl1.0Third Party Advisory
-
https://www.openssl.org/news/secadv/20191206.txt
Vendor Advisory
-
https://seclists.org/bugtraq/2019/Dec/39
Bugtraq: [slackware-security] openssl (SSA:2019-354-01)Mailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Dec/46
Bugtraq: [SECURITY] [DSA 4594-1] openssl1.0 security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/
[SECURITY] Fedora 32 Update: openssl-1.1.1g-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://usn.ubuntu.com/4504-1/
USN-4504-1: OpenSSL vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuApr2021.html
Oracle Critical Patch Update Advisory - April 2021Patch;Third Party Advisory
-
https://www.tenable.com/security/tns-2020-11
[R1] Tenable.sc 5.17.0 Fixes Multiple Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://security.gentoo.org/glsa/202004-10
OpenSSL: Multiple vulnerabilities (GLSA 202004-10) — Gentoo securityThird Party Advisory
-
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98
git.openssl.org Git - openssl.git/commitdiffMailing List;Patch;Vendor Advisory
-
https://www.debian.org/security/2021/dsa-4855
Debian -- Security Information -- DSA-4855-1 opensslThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20191210-0001/
CVE-2019-1551 OpenSSL Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/
[SECURITY] Fedora 31 Update: openssl-1.1.1g-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to