CVE-2019-0190

[garbbraf]

Hello.

I have a question about the aforementioned CVE-2019-0190.
Apparently it was fixed in Apache HTTP Server 2.4.38, but it's reported (i.e. in NVD ) as open for the openssl 1.1.1 and higher.
Is this still a thing for the openssl? If not, is there any chance to mark it as not applicable?

Thanks

[t8m]

I do not see this is reported as open for openssl-1.1.1 in NVD - the openssl-1.1.1 or higher is just a condition Running on/with. It is not marked as an OpenSSL issue. IMO there is nothing to fix in this NVD entry.

[sohil-kohli-scf-guest]

@t8m
Hi, We are getting below high prisma alert for openssl.
openssl (used in libssl3, libcrypto3) version 3.1.4-r5 has 1 vulnerability.
We are using nginx:1.25-alpine docker image. (apache version is 2.4.59)
Is there any fix for this issue. Even if we upgrade the openssl,libcrypto3,libssl3, it is updating to 3.1.4-r5 and it still has the issue.
Can you please suggest if there is any fix ?

[t8m]

I am sorry but this certainly looks like a misdetection by the alerting software. As this is not an OpenSSL vulnerability we cannot help here.

[rsbeckerca]

According to the CVE this is an issue specific to Apache HTTP Server version 2.4.37 and how it handles renegotiation. There is no indication that this is inherently an OpenSSL issue. Apache put out a fix, 2.4.38, on this CVE in 2019. I do not know why the CVE is still open with a fix available. https://httpd.apache.org/security/vulnerabilities_24.html