vulnerability

Amazon Linux AMI 2: CVE-2019-1549: Security patch for openssl11 (ALAS-2020-1456)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:P/I:N/A:N)	Sep 10, 2019	Jul 21, 2020	Nov 27, 2024

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:N/A:N)

Published

Sep 10, 2019

Added

Jul 21, 2020

Modified

Nov 27, 2024

Description

OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).

Solutions

amazon-linux-ami-2-upgrade-openssl11amazon-linux-ami-2-upgrade-openssl11-debuginfoamazon-linux-ami-2-upgrade-openssl11-develamazon-linux-ami-2-upgrade-openssl11-libsamazon-linux-ami-2-upgrade-openssl11-static

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today