- Vulnerability/
- USN-4504-1
USN-4504-1: OpenSSL vulnerabilities
First published: Wed Sep 16 2020(Updated: )
Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites from OpenSSL. (CVE-2020-1968) Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1547) Guido Vranken discovered that OpenSSL incorrectly performed the x86_64 Montgomery squaring procedure. While unlikely, a remote attacker could possibly use this issue to recover private keys. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1551) Bernd Edlinger discovered that OpenSSL incorrectly handled certain decryption functions. In certain scenarios, a remote attacker could possibly use this issue to perform a padding oracle attack and decrypt traffic. This issue only affected Ubuntu 18.04 LTS. (CVE-2019-1563)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/libssl1.0.0 | <1.0.2n-1ubuntu5.4 | 1.0.2n-1ubuntu5.4 |
| =18.04 | ||
| All of | ||
| ubuntu/libssl1.0.0 | <1.0.2g-1ubuntu4.17 | 1.0.2g-1ubuntu4.17 |
| =16.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2019-1547
- https://ubuntu.com/security/CVE-2019-1551
- https://ubuntu.com/security/CVE-2019-1563
- https://ubuntu.com/security/CVE-2020-1968
- https://ubuntu.com/security/notices/USN-4376-1
- https://ubuntu.com/security/notices/USN-4376-2
- https://launchpad.net/ubuntu/+source/openssl1.0/1.0.2n-1ubuntu5.4
- https://launchpad.net/ubuntu/+source/openssl/1.0.2g-1ubuntu4.17
- https://ubuntu.com/security/notices/USN-4504-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is USN-4504-1.
What is the severity of USN-4504-1?
The severity of USN-4504-1 is medium.
How does the vulnerability in OpenSSL affect communications?
The vulnerability allows remote attackers to potentially eavesdrop on encrypted communications.
Which version of libssl1.0.0 is affected by USN-4504-1?
The versions up to and including libssl1.0.0 1.0.2n-1ubuntu5.4 are affected.
How do I fix the vulnerability in libssl1.0.0?
To fix the vulnerability, update libssl1.0.0 to version 1.0.2n-1ubuntu5.4 or later.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/usn
- source/Ubuntu
- anchor-related/USN-4376-1
- anchor-related/USN-4376-2
- agent/software-canonical-lookup
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu ubuntu
- version/ubuntu ubuntu/18.04
- version/ubuntu ubuntu/16.04