CVE-2019-1552: Windows builds with insecure path defaults
First published: Tue Jul 30 2019(Updated: )
OpenSSL could allow a local attacker to bypass security restrictions, caused by the building of . mingw programs or Windows programs with world writable path defaults. An attacker could exploit this vulnerability to modify default configuration, insert CA certificates, modify (or even replace) existing engine modules.
Credit: openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL OpenSSL | >=1.0.2<=1.0.2s | |
| OpenSSL OpenSSL | >=1.1.0<=1.1.0k | |
| OpenSSL OpenSSL | >=1.1.1<=1.1.1c | |
| <=10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9
- https://kc.mcafee.com/corporate/index?page=content&id=SB10365
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
- https://security.netapp.com/advisory/ntap-20190823-0006/
- https://support.f5.com/csp/article/K94041354
- https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS
- https://www.kb.cert.org/vuls/id/429301
- https://www.openssl.org/news/secadv/20190730.txt
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.tenable.com/security/tns-2019-08
- https://www.tenable.com/security/tns-2019-09
- https://exchange.xforce.ibmcloud.com/vulnerabilities/164498
- https://www.ibm.com/support/pages/node/7057377 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=54aa9d51b09d67e90db443f682cface795f5af9e
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e32bc855a81a2d48d215c506bdeb4f598045f7e9
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b15a19c148384e73338aa7c5b12652138e35ed28
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=d333ebaf9c77332754a9d5e111e2f53e1de54fdd
- https://support.f5.com/csp/article/K94041354?utm_source=f5support&%3Butm_medium=RSS
Frequently Asked Questions
What is CVE-2019-1552?
CVE-2019-1552 is a vulnerability in OpenSSL that allows a local attacker to bypass security restrictions caused by the building of .min files.
What is the severity of CVE-2019-1552?
The severity of CVE-2019-1552 is low, with a severity value of 3.3.
How does CVE-2019-1552 affect OpenSSL?
CVE-2019-1552 affects OpenSSL versions 1.0.2s, 1.1.0k, and 1.1.1c.
What is OPENSSLDIR?
OPENSSLDIR is a directory in OpenSSL where it can find a configuration file and certificates used for TLS verification.
How can I fix CVE-2019-1552?
To fix CVE-2019-1552, update OpenSSL to a version that includes the relevant security patches.
- collector/nvd-index
- agent/type
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/title
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/openssl
- canonical/openssl openssl
- version/openssl openssl/1.0.2
- version/openssl openssl/1.0.2s
- version/openssl openssl/1.1.0
- version/openssl openssl/1.1.0k
- version/openssl openssl/1.1.1
- version/openssl openssl/1.1.1c
- vendor/ibm
- canonical/ibm security verify governance
- version/ibm security verify governance/10.0