Уязвимость CVE-2019-1552: Информация

Описание

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Важность: LOW (3,3) Вектор: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-1552
Опубликовано: 30 июля 2019 г.
Изменено: 7 ноября 2023 г.
Идентификатор типа ошибки: CWE-295

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
openssl1.1sisyphus1.1.1d-alt11.1.1w-alt1ALT-PU-2019-2752-1237852Исправлено
openssl1.1p101.1.1d-alt11.1.1w-alt0.p10.1ALT-PU-2019-2752-1237852Исправлено
openssl1.1p91.1.1d-alt1.11.1.1u-alt1ALT-PU-2019-2771-1237853Исправлено
openssl1.1c10f11.1.1d-alt11.1.1w-alt0.p10.1ALT-PU-2019-2752-1237852Исправлено
openssl1.1c9f21.1.1d-alt1.11.1.1w-alt0.p9.1ALT-PU-2019-2771-1237853Исправлено
openssl10p91.0.2u-alt1.p9.11.0.2u-alt1.p9.2ALT-PU-2020-3485-1263121Исправлено
openssl10p81.0.2u-alt0.M80P.11.0.2u-alt0.M80P.2ALT-PU-2020-3494-1263122Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://www.openssl.org/news/secadv/20190730.txt
  • Vendor Advisory
https://security.netapp.com/advisory/ntap-20190823-0006/
    https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
      https://kc.mcafee.com/corporate/index?page=content&id=SB10365
        VU#429301
          https://www.oracle.com/security-alerts/cpuoct2020.html
            https://www.oracle.com/security-alerts/cpujul2020.html
              N/A
                https://www.oracle.com/security-alerts/cpujan2020.html
                  https://www.tenable.com/security/tns-2019-09
                    https://www.tenable.com/security/tns-2019-08
                      https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
                        https://support.f5.com/csp/article/K94041354
                          FEDORA-2019-db06efdea1
                            FEDORA-2019-00c25b9379
                              FEDORA-2019-9a0a7c0986
                                https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=54aa9d51b09d67e90db443f682cface795f5af9e
                                  https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e32bc855a81a2d48d215c506bdeb4f598045f7e9
                                    https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b15a19c148384e73338aa7c5b12652138e35ed28
                                      https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=d333ebaf9c77332754a9d5e111e2f53e1de54fdd
                                        https://support.f5.com/csp/article/K94041354?utm_source=f5support&amp%3Butm_medium=RSS

                                            1. Конфигурация 1

                                              cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
                                              Start including
                                              1.1.1
                                              End including
                                              1.1.1c
                                              cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
                                              Start including
                                              1.0.2
                                              End including
                                              1.0.2s
                                              cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
                                              Start including
                                              1.1.0
                                              End including
                                              1.1.0k
                                          VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                          Версия: v24.4.2
                                          Наверх