CVE-2019-11324
First published: Wed Apr 17 2019(Updated: )
Last updated 24 July 2024
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-pip | <0:9.0.3-7.el7_7 | 0:9.0.3-7.el7_7 |
| redhat/python-pip | <0:9.0.3-7.el7_8 | 0:9.0.3-7.el7_8 |
| redhat/python-pip | <0:9.0.3-16.el8 | 0:9.0.3-16.el8 |
| redhat/python-urllib3 | <0:1.24.2-2.el8 | 0:1.24.2-2.el8 |
| redhat/python-urllib3 | <0:1.24.3-1.el7 | 0:1.24.3-1.el7 |
| pip/urllib3 | <1.24.2 | 1.24.2 |
| Python urllib3 | <1.24.2 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =18.10 | |
| Canonical Ubuntu Linux | =19.04 | |
| redhat/urllib3 | <1.24.2 | 1.24.2 |
| debian/python-urllib3 | 1.26.5-1~exp1 1.26.12-1 2.0.7-2 |
Remedy
The urllib3 package is used by elastic-curator, which is deployed in the ose-logging-curator, and used by the optional logging feature in OpenShift Container Platform (OCP). Therefore OCP 3.11 users can mitigate this issue by not deploying and using the Curator logging feature. In OCP 4 urllib3 is also used by several Ansible Play Book images built with the Operator SDK and available for installation in OCP 4 including openshift-enterprise-ansible-operator and ose-metering-ansible-operator. Therefore those operators should not be deployed in order to mitigate this issue in OCP 4.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-11324 https://nvd.nist.gov/vuln/detail/CVE-2019-11324 https://www.openwall.com/lists/oss-security/2019/04/17/3
- https://bugzilla.redhat.com/show_bug.cgi?id=1702473
- https://access.redhat.com/errata/RHSA-2020:0850
- https://access.redhat.com/errata/RHSA-2020:2068
- https://access.redhat.com/errata/RHSA-2019:3335
- https://access.redhat.com/errata/RHSA-2020:1605
- https://access.redhat.com/errata/RHSA-2020:1916
- https://access.redhat.com/errata/RHSA-2019:3590
- https://access.redhat.com/errata/RHBA-2020:2804
- https://access.redhat.com/errata/RHBA-2020:2785
- https://access.redhat.com/security/cve/cve-2019-11324
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00041.html
- http://www.openwall.com/lists/oss-security/2019/04/19/1
- https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
- https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
- https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
- https://usn.ubuntu.com/3990-1/
- https://nvd.nist.gov/vuln/detail/CVE-2019-11324
- https://pypi.org/project/urllib3/1.24.2/
- https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1
- https://github.com/advisories/GHSA-mh33-7rrq-662w (Advisory)
- https://launchpad.net/bugs/cve/CVE-2019-11324
- https://www.openwall.com/lists/oss-security/2019/04/17/3
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1702474
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1702475
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1707999
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1724437
- https://github.com/urllib3/urllib3/commit/0d06f4e9a320e9d39fbedc4e9ff0d1cf8622a965
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1702473#c0
- https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1#diff-7c9a38cd64066636d0e73a2449a28640L330
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1774595
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1778099
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2/
- https://security-tracker.debian.org/tracker/CVE-2019-11324
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324
- https://ubuntu.com/security/CVE-2019-11324
- https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2019-133.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NKGPJLVLVYCL4L4B4G5TIOTVK4BKPG72
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XOSA2NT4DUQDBEIWE6O7KKD24XND7TE2
- https://pypi.org/project/urllib3/1.24.2
- https://usn.ubuntu.com/3990-1
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-11324?
CVE-2019-11324 is a vulnerability in the urllib3 library for Python that mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates.
How severe is CVE-2019-11324?
CVE-2019-11324 has a severity rating of 7.5, which is considered high.
What is the impact of CVE-2019-11324?
The impact of CVE-2019-11324 is that SSL connections can succeed in situations where a verification failure should occur.
How do I fix CVE-2019-11324?
To fix CVE-2019-11324, you should update the urllib3 library for Python to version 1.24.2 or higher.
Where can I find more information about CVE-2019-11324?
You can find more information about CVE-2019-11324 at the following references: [link1], [link2], [link3].
- collector/redhat-cve
- collector/nvd-api
- collector/nvd-index
- collector/github-advisory
- alias/GHSA-mh33-7rrq-662w
- alias/CVE-2019-11324
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/remedy
- agent/author
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- package-manager/redhat
- vendor/python
- canonical/python urllib3
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/18.10
- version/canonical ubuntu linux/19.04
- package-manager/pip
- package-manager/debian