OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Reference: https://www.openssl.org/news/secadv/20190910.txt https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be
Created mingw-openssl tracking bugs for this issue: Affects: epel-7 [bug 1752096] Affects: fedora-all [bug 1752098] Created openssl tracking bugs for this issue: Affects: fedora-all [bug 1752097]
OpenSSL 1.1.1 introduced a new Random number generator which is referred to as "Grand redesign of the OpenSSL random generator " and described in https://www.openssl.org/news/cl111.txt Also a part of the new design was to ensure that after fork, the parent and the child did not share the same RNG state which could result in same random numbers being generated by both of them. However this was not switched on by default unless the application called OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK. This is not a very significant security issue, mainly because output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced.
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Enterprise Web Server 2 * Red Hat JBoss Web Server 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This keeps coming up with our services teams needing the fixed versions of OpenSSL. There are several CVEs that are involved ... CVE-2019-1547 - Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). CVE-2019-1549 - Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). CVE-2019-1551 - Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t). CVE-2019-1563 - Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s). Our images installed with OpenSSL show the following ... Based on registry.access.redhat.com/ubi7/ubi-minimal - Need OpenSSL 1.0.2t or 1.0.2u-dev in ubi-7/x86_64 Red Hat Universal Base Image 7 Server (RPMs) [root@4c866ac08b81 /]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 Based on registry.access.redhat.com/ubi8/ubi-minimal - Need OpenSSL 1.1.1d or 1.1.1e-dev in ubi-8-baseos Red Hat Universal Base Image 8 (RPMs) - BaseOS [root@6ad506124398 /]# openssl version OpenSSL 1.1.1c FIPS 28 May 2019 Having these upgrades will solve a lot of these issues for us. When can we expect the OpenSSL packages upgraded?
This issue has been addressed in the following products: JBoss Core Services Apache HTTP Server 2.4.37 SP2 Via RHSA-2020:1336 https://access.redhat.com/errata/RHSA-2020:1336
This issue has been addressed in the following products: JBoss Core Services on RHEL 6 JBoss Core Services on RHEL 7 Via RHSA-2020:1337 https://access.redhat.com/errata/RHSA-2020:1337
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1549
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1840 https://access.redhat.com/errata/RHSA-2020:1840
FEDORA-EPEL-2020-ff94ccbdec has been pushed to the Fedora EPEL 7 stable repository. If problem still persists, please make note of it in this bug report.