// For flags

CVE-2019-1549

Fork Protection

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).

OpenSSL versión 1.1.1 introdujo un generador de números aleatorios (RNG) reescrito. Este tuvo la intención de incluir protección en el caso de una llamada de sistema fork() para asegurar que los procesos padre e hijo no compartieran el mismo estado RNG. Sin embargo, esta protección no estaba siendo usada en el caso predeterminado. Una mitigación parcial para este problema es que la salida de un temporizador de alta precisión se mezcla en el estado RNG, por lo que la probabilidad de un estado de intercambio de procesos padre e hijo es reducida significativamente. Si una aplicación ahora llama a OPENSSL_init_crypto() explícitamente utilizando OPENSSL_INIT_ATFORK, este problema no se produce en absoluto. Corregido en OpenSSL versión 1.1.1d (afectadas las versiones 1.1.1 hasta 1.1.1c).

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 Service Pack 2 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.37 Service Pack 1 and includes bug fixes and enhancements. Issues addressed include cross site scripting and information leakage vulnerabilities.

*Credits: Matt Caswell
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-11-28 CVE Reserved
  • 2019-09-10 CVE Published
  • 2024-09-16 CVE Updated
  • 2025-04-02 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-330: Use of Insufficiently Random Values
CAPEC
References (17)
URL Tag Source
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1b0fe00e2704b5e20334a16d3c9099d1ba2ef1be X_refsource_confirm
https://seclists.org/bugtraq/2019/Oct/1 Mailing List
https://security.netapp.com/advisory/ntap-20190919-0002 X_refsource_confirm
https://support.f5.com/csp/article/K44070243 X_refsource_confirm
https://support.f5.com/csp/article/K44070243?utm_source=f5support&amp%3Butm_medium=RSS X_refsource_confirm
https://www.oracle.com/security-alerts/cpuapr2020.html X_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html X_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html X_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html X_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html X_refsource_misc
URL Date SRC
URL Date SRC
URL Date SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A 2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E 2023-11-07
https://usn.ubuntu.com/4376-1 2023-11-07
https://www.debian.org/security/2019/dsa-4539 2023-11-07
https://www.openssl.org/news/secadv/20190910.txt 2023-11-07
https://access.redhat.com/security/cve/CVE-2019-1549 2020-04-28
https://bugzilla.redhat.com/show_bug.cgi?id=1752095 2020-04-28
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 1.1.1 <= 1.1.1c
Search vendor "Openssl" for product "Openssl" and version " >= 1.1.1 <= 1.1.1c"
-
Affected