CVE-2019-1552

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.2 through 1.0.2s OpenSSL versions 1.1.0 through 1.1.0k OpenSSL versions 1.1.1 through 1.1.1c

Description The issue is related to errors in the certificate authentication procedure. It allows an attacker to impact data integrity. The problem arises from the default directory tree where OpenSSL finds configuration files and certificates for TLS verification, referred to as OPENSSLDIR. This directory's default location can be world-writable, enabling untrusted users to modify OpenSSL's configuration, insert CA certificates, or replace engine modules. The estimated severity of this issue is low due to the limited scope of affected deployments.

Recommendations For OpenSSL versions 1.0.2 through 1.0.2s, update to version 1.0.2t to resolve the issue. For OpenSSL versions 1.1.0 through 1.1.0k, update to version 1.1.0l to resolve the issue. For OpenSSL versions 1.1.1 through 1.1.1c, update to version 1.1.1d to resolve the issue. As a temporary workaround, consider restricting access to the default OPENSSLDIR to prevent untrusted users from modifying the configuration.