Bug 1752095 (CVE-2019-1549) - CVE-2019-1549 openssl: information disclosure in fork()
Summary: CVE-2019-1549 openssl: information disclosure in fork()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-1549
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1752096 1752097 1752098 1752337
Blocks: 1752105
TreeView+ depends on / blocked
 
Reported: 2019-09-13 17:08 UTC by Dhananjay Arunesh
Modified: 2020-12-15 15:53 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-06 22:32:03 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1336 0 None None None 2020-04-06 19:10:21 UTC
Red Hat Product Errata RHSA-2020:1337 0 None None None 2020-04-06 19:27:08 UTC
Red Hat Product Errata RHSA-2020:1840 0 None None None 2020-04-28 15:58:33 UTC

Description Dhananjay Arunesh 2019-09-13 17:08:10 UTC
OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was
intended to include protection in the event of a fork() system call in order to
ensure that the parent and child processes did not share the same RNG state.
However this protection was not being used in the default case. A partial
mitigation for this issue is that the output from a high precision timer is
mixed into the RNG state so the likelihood of a parent and child process sharing
state is significantly reduced. If an application already calls
OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem
does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).

Reference:
https://www.openssl.org/news/secadv/20190910.txt
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be

Comment 1 Dhananjay Arunesh 2019-09-13 17:08:58 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: epel-7 [bug 1752096]
Affects: fedora-all [bug 1752098]


Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1752097]

Comment 2 Huzaifa S. Sidhpurwala 2019-09-16 06:12:46 UTC
OpenSSL 1.1.1 introduced a new Random number generator which is referred to as "Grand redesign of the OpenSSL random generator
" and described in https://www.openssl.org/news/cl111.txt

Also a part of the new design was to ensure that after fork, the parent and the child did not share the same RNG state which could result in same random numbers being generated by both of them. However this was not switched on by default unless the application called OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK.

This is not a very significant security issue, mainly because output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced.

Comment 8 Kunjan Rathod 2019-11-14 23:04:02 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss Enterprise Web Server 2
 * Red Hat JBoss Web Server 3
 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 10 Laurie Morse 2020-03-04 21:08:37 UTC
This keeps coming up with our services teams needing the fixed versions of OpenSSL.  There are several CVEs that are involved ...
CVE-2019-1547 - Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
CVE-2019-1549 - Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).
CVE-2019-1551 - Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).
CVE-2019-1563 - Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Our images installed with OpenSSL show the following ...
Based on registry.access.redhat.com/ubi7/ubi-minimal - Need OpenSSL 1.0.2t or 1.0.2u-dev in ubi-7/x86_64 Red Hat Universal Base Image 7 Server (RPMs)
[root@4c866ac08b81 /]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
Based on registry.access.redhat.com/ubi8/ubi-minimal - Need OpenSSL 1.1.1d or 1.1.1e-dev in ubi-8-baseos Red Hat Universal Base Image 8 (RPMs) - BaseOS
[root@6ad506124398 /]# openssl version
OpenSSL 1.1.1c FIPS  28 May 2019

Having these upgrades will solve a lot of these issues for us.  When can we expect the OpenSSL packages upgraded?

Comment 11 errata-xmlrpc 2020-04-06 19:10:18 UTC
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP2

Via RHSA-2020:1336 https://access.redhat.com/errata/RHSA-2020:1336

Comment 12 errata-xmlrpc 2020-04-06 19:27:05 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2020:1337 https://access.redhat.com/errata/RHSA-2020:1337

Comment 13 Product Security DevOps Team 2020-04-06 22:32:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1549

Comment 14 errata-xmlrpc 2020-04-28 15:58:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1840 https://access.redhat.com/errata/RHSA-2020:1840

Comment 15 Fedora Update System 2020-05-29 00:57:05 UTC
FEDORA-EPEL-2020-ff94ccbdec has been pushed to the Fedora EPEL 7 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.