CVE-2019-1549

{"id": "CVE-2019-1549", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2019-09-10T17:15:11.813", "references": [{"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be", "source": "openssl-security@openssl.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/", "source": "openssl-security@openssl.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/", "source": "openssl-security@openssl.org"}, {"url": "https://seclists.org/bugtraq/2019/Oct/1", "source": "openssl-security@openssl.org"}, {"url": "https://security.netapp.com/advisory/ntap-20190919-0002/", "source": "openssl-security@openssl.org"}, {"url": "https://support.f5.com/csp/article/K44070243", "source": "openssl-security@openssl.org"}, {"url": "https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp%3Butm_medium=RSS", "source": "openssl-security@openssl.org"}, {"url": "https://usn.ubuntu.com/4376-1/", "source": "openssl-security@openssl.org"}, {"url": "https://www.debian.org/security/2019/dsa-4539", "source": "openssl-security@openssl.org"}, {"url": "https://www.openssl.org/news/secadv/20190910.txt", "tags": ["Vendor Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2020.html", "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpujul2020.html", "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2020.html", "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "source": "openssl-security@openssl.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-330"}]}], "descriptions": [{"lang": "en", "value": "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c)."}, {"lang": "es", "value": "OpenSSL versi\u00f3n 1.1.1 introdujo un generador de n\u00fameros aleatorios (RNG) reescrito. Este tuvo la intenci\u00f3n de incluir protecci\u00f3n en el caso de una llamada de sistema fork() para asegurar que los procesos padre e hijo no compartieran el mismo estado RNG. Sin embargo, esta protecci\u00f3n no estaba siendo usada en el caso predeterminado. Una mitigaci\u00f3n parcial para este problema es que la salida de un temporizador de alta precisi\u00f3n se mezcla en el estado RNG, por lo que la probabilidad de un estado de intercambio de procesos padre e hijo es reducida significativamente. Si una aplicaci\u00f3n ahora llama a OPENSSL_init_crypto() expl\u00edcitamente utilizando OPENSSL_INIT_ATFORK, este problema no se produce en absoluto. Corregido en OpenSSL versi\u00f3n 1.1.1d (afectadas las versiones 1.1.1 hasta 1.1.1c)."}], "lastModified": "2023-11-07T03:08:28.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A2ACA227-3992-478E-85C3-023D8AF88A08", "versionEndIncluding": "1.1.1c", "versionStartIncluding": "1.1.1"}], "operator": "OR"}]}], "sourceIdentifier": "openssl-security@openssl.org"}