PT-2019-3787 · Openssl+5 · Openssl+5

Matt Caswell

Publicado

2019-09-10

Atualizado

2026-04-27

CVE-2019-1549

CVSS v3.1

5.3

Média

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.1.1 through 1.1.1c

Description The issue is related to the random number generator (RNG) in OpenSSL, which was intended to protect against shared RNG state between parent and child processes after a fork() system call. However, this protection was not enabled by default. A mitigation factor is that the output from a high precision timer is mixed into the RNG state, reducing the likelihood of shared state. The problem does not occur if an application explicitly calls OPENSSL init crypto() using OPENSSL INIT ATFORK.

Recommendations For OpenSSL versions 1.1.1 through 1.1.1c, update to version 1.1.1d to resolve the issue. As a temporary workaround, consider explicitly calling OPENSSL init crypto() using OPENSSL INIT ATFORK in applications to prevent the problem.

Correção

Use of Insufficiently Random Values

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-330

Identificadores relacionados

ALT-PU-2019-2752

ALT-PU-2019-2771

BDU:2019-04083

CESA-2020_1840

CVE-2019-1549

DSA-4539-1

DSA-4539-2

DSA-4539-3

JLSEC-2026-215

OPENSUSE-SU-2024:11127-1

RHSA-2020:1337

RHSA-2020:1840

RHSA-2020_1840

SUSE-SU-2020:0099-1

USN-4376-1

Produtos afetados

Alt Linux

Centos

Openssl

Red Hat

Suse

Ubuntu

PT-2019-3787 · Openssl+5 · Openssl+5

CVE-2019-1549

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 194