Endpoint Vulnerability

Fork Protection


Severity: LowOpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This wasintended to include protection in the event of a fork() system call in order toensure that the parent and child processes did not share the same RNG state.However this protection was not being used in the default case.A partial mitigation for this issue is that the output from a high precisiontimer is mixed into the RNG state so the likelihood of a parent and childprocess sharing state is significantly reduced.If an application already calls OPENSSL_init_crypto() explicitly usingOPENSSL_INIT_ATFORK then this problem does not occur at all.OpenSSL version 1.1.1 is affected by this issue.OpenSSL 1.1.1 users should upgrade to 1.1.1dThis issue was reported by Matt Caswell. The fix was developed by MatthiasSt. Pierre. It was reported to OpenSSL on 27th May 2019.

Affected Products