Bug 1752090 (CVE-2019-1547)

Summary: CVE-2019-1547 openssl: side-channel weak encryption vulnerability
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, asoldano, atangrin, bbaranow, bmaxwell, brian.stansberry, cdewolf, cfergeau, chazlett, csutherl, darran.lofthouse, dosoudil, erik-fedora, fidencio, gzaronik, hmatsumo, huzaifas, iweiss, jawilson, jclere, jorton, jperkins, krathod, ktietz, kwills, lgao, lmorse, marcandre.lureau, mbabacek, mkenjale, mpoole, msochure, msvehla, mturk, myarboro, nwallace, pmackay, psotirop, rguimara, rh-spice-bugs, rjones, rsvoboda, smaestri, tcrider, tmraz, tom.jenkinson, twalsh, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-06 22:31:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1752091, 1752092, 1752093, 1752332, 1752333, 1752334, 1752335    
Bug Blocks: 1752105    

Description Dhananjay Arunesh 2019-09-13 17:03:52 UTC 
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Reference:
https://arxiv.org/abs/1909.01785
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=21c856b75d81eff61aa63b4f036bb64a85bf6d46
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=30c22fa8b1d840036b8e203585738df62a03cec8
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
https://seclists.org/bugtraq/2019/Sep/25
https://www.openssl.org/news/secadv/20190910.txt
Comment 1 Dhananjay Arunesh 2019-09-13 17:04:56 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1752091]
Affects: fedora-all [bug 1752093]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1752092]
Comment 2 Huzaifa S. Sidhpurwala 2019-09-16 05:48:32 UTC 
Since libssl is not affected, this does not really affect SSL/TLS use case.
Comment 8 Kunjan Rathod 2019-11-14 23:03:49 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Enterprise Web Server 2
 * Red Hat JBoss Web Server 3
 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 10 Laurie Morse 2020-03-04 21:07:20 UTC 
This keeps coming up with our services teams needing the fixed versions of OpenSSL.  There are several CVEs that are involved ...
CVE-2019-1547 - Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVE-2019-1549 - Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
CVE-2019-1551 - Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).
CVE-2019-1563 - Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Our images installed with OpenSSL show the following ...
Based on registry.access.redhat.com/ubi7/ubi-minimal - Need OpenSSL 1.0.2t or 1.0.2u-dev in ubi-7/x86_64 Red Hat Universal Base Image 7 Server (RPMs)
[root@4c866ac08b81 /]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
Based on registry.access.redhat.com/ubi8/ubi-minimal - Need OpenSSL 1.1.1d or 1.1.1e-dev in ubi-8-baseos Red Hat Universal Base Image 8 (RPMs) - BaseOS
[root@6ad506124398 /]# openssl version
OpenSSL 1.1.1c FIPS  28 May 2019

Having these upgrades will solve a lot of these issues for us.  When can we expect the OpenSSL packages upgraded?
Comment 11 errata-xmlrpc 2020-04-06 19:10:13 UTC 
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP2

Via RHSA-2020:1336 https://access.redhat.com/errata/RHSA-2020:1336
Comment 12 errata-xmlrpc 2020-04-06 19:27:01 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2020:1337 https://access.redhat.com/errata/RHSA-2020:1337
Comment 13 Product Security DevOps Team 2020-04-06 22:31:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1547
Comment 14 errata-xmlrpc 2020-04-28 15:58:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1840 https://access.redhat.com/errata/RHSA-2020:1840
Comment 19 Huzaifa S. Sidhpurwala 2020-05-18 08:30:20 UTC 
Statement:

As per upstream: In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. Also libssl is not vulnerable because explicit parameters are never used.
Comment 21 Fedora Update System 2020-05-29 00:57:01 UTC 
FEDORA-EPEL-2020-ff94ccbdec has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.