CVE-2019-16910
mbedtls - security update
5.3
MEDIUM
CVSS 3.1
EPSS 0.67%
Description
Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. (For Mbed TLS, the fix is also available in versions 2.7.12 and 2.16.3.)
How to fix CVE-2019-16910
To remediate CVE-2019-16910, upgrade the affected package to a fixed version below.
- —upgrade to 2.16.3-r0 or later
- —upgrade to 2.16.3-1 or later
- —upgrade to 2.16.9-0~deb10u1 or later
Is CVE-2019-16910 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.16.3-r0
- from 0, < 2.16.3-1
- from 0, < 2.16.9-0~deb10u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |