CVE-2019-1547— ECDSA remote timing attack
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2019-1547
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ECDSA remote timing attack
Source: NVD (National Vulnerability Database)
Vulnerability Description
Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenSSL 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenSSL是Openssl团队的一个开源的能够实现安全套接层(SSLv2/v3)和安全传输层(TLSv1)协议的通用加密库。该产品支持多种加密算法,包括对称密码、哈希算法、安全散列算法等。 OpenSSL 1.0.2版本至1.0.2s版本、1.1.0版本至1.1.0k版本和1.1.1版本至1.1.1c版本中存在安全漏洞。攻击者可利用该漏洞获取敏感信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2019-1547
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2019-1547
请登录查看更多情报信息。
- https://security.netapp.com/advisory/ntap-20190919-0002/x_refsource_CONFIRM
- https://security.netapp.com/advisory/ntap-20200122-0002/x_refsource_CONFIRM
- NetApp Product Securityx_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpujan2020.htmlx_refsource_MISC
- https://www.oracle.com/security-alerts/cpuoct2020.htmlx_refsource_MISC
- https://www.oracle.com/security-alerts/cpujul2020.htmlx_refsource_MISC
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365x_refsource_CONFIRM
- https://www.tenable.com/security/tns-2019-09x_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpuapr2020.htmlx_refsource_MISC
- https://www.openssl.org/news/secadv/20190910.txtx_refsource_CONFIRM
- https://www.tenable.com/security/tns-2019-08x_refsource_CONFIRM
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.htmlvendor-advisoryx_refsource_SUSE
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.htmlvendor-advisoryx_refsource_SUSE
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.htmlvendor-advisoryx_refsource_SUSE
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.htmlvendor-advisoryx_refsource_SUSE
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E/vendor-advisoryx_refsource_FEDORA
- https://nvd.nist.gov/vuln/detail/CVE-2019-1547
Same Patch Batch · OpenSSL · 2019-09-10 · 3 CVEs total
| CVE-2019-1549 | Fork Protection | |
| CVE-2019-1563 | Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey |
IV. Related Vulnerabilities
Same product: OpenSSL
- CVE-2026-31790
Incorrect Failure Handling in RSA KEM RSASVE Encapsulation - CVE-2026-31789
Heap Buffer Overflow in Hexadecimal Conversion - CVE-2026-28390
Possible NULL Dereference When Processing CMS KeyTransportRe - CVE-2026-28389
Possible NULL Dereference When Processing CMS KeyAgreeRecipi - CVE-2026-28388
NULL Pointer Dereference When Processing a Delta CRL
Same vendor: OpenSSL
- CVE-2026-31790
Incorrect Failure Handling in RSA KEM RSASVE Encapsulation - CVE-2026-31789
Heap Buffer Overflow in Hexadecimal Conversion - CVE-2026-28390
Possible NULL Dereference When Processing CMS KeyTransportRe - CVE-2026-28389
Possible NULL Dereference When Processing CMS KeyAgreeRecipi - CVE-2026-28388
NULL Pointer Dereference When Processing a Delta CRL
V. Comments for CVE-2019-1547
No comments yet