CVE-2019-15847

The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same.

Weakness

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

Affected Software

Name	Vendor	Start Version	End Version
Gcc	Gnu	*	7.5.0 (excluding)
Gcc	Gnu	8.0 (including)	8.4.0 (excluding)
Gcc	Gnu	9.0 (including)	9.3.0 (excluding)
Gcc	Gnu	10.0 (including)	10.1.0 (excluding)
Red Hat Enterprise Linux 8	RedHat	gcc-0:8.3.1-5.el8	*
Red Hat Enterprise Linux 8	RedHat	gcc-0:8.3.1-5.el8	*
Red Hat Software Collections for Red Hat Enterprise Linux 6	RedHat	devtoolset-8-gcc-0:8.3.1-3.2.el6	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	devtoolset-8-gcc-0:8.3.1-3.2.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	devtoolset-9-gcc-0:9.3.1-2.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS	RedHat	devtoolset-8-gcc-0:8.3.1-3.2.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	devtoolset-8-gcc-0:8.3.1-3.2.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS	RedHat	devtoolset-9-gcc-0:9.3.1-2.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS	RedHat	devtoolset-8-gcc-0:8.3.1-3.2.el7	*
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS	RedHat	devtoolset-9-gcc-0:9.3.1-2.el7	*
Gcc-10	Ubuntu	focal	*
Gcc-10	Ubuntu	upstream	*
Gcc-4.8	Ubuntu	trusty	*
Gcc-6	Ubuntu	bionic	*
Gcc-6	Ubuntu	disco	*
Gcc-6-cross	Ubuntu	bionic	*
Gcc-6-cross-ports	Ubuntu	bionic	*
Gcc-7	Ubuntu	bionic	*
Gcc-7	Ubuntu	disco	*
Gcc-7	Ubuntu	eoan	*
Gcc-7	Ubuntu	upstream	*
Gcc-7-cross	Ubuntu	bionic	*
Gcc-7-cross	Ubuntu	disco	*
Gcc-7-cross-ports	Ubuntu	bionic	*
Gcc-7-cross-ports	Ubuntu	disco	*
Gcc-8	Ubuntu	bionic	*
Gcc-8	Ubuntu	disco	*
Gcc-8	Ubuntu	upstream	*
Gcc-8-cross	Ubuntu	bionic	*
Gcc-8-cross	Ubuntu	disco	*
Gcc-8-cross	Ubuntu	eoan	*
Gcc-8-cross	Ubuntu	groovy	*
Gcc-8-cross	Ubuntu	hirsute	*
Gcc-8-cross-ports	Ubuntu	bionic	*
Gcc-8-cross-ports	Ubuntu	disco	*
Gcc-8-cross-ports	Ubuntu	eoan	*
Gcc-8-cross-ports	Ubuntu	groovy	*
Gcc-8-cross-ports	Ubuntu	hirsute	*
Gcc-9	Ubuntu	disco	*
Gcc-9	Ubuntu	upstream	*
Gcc-9-cross	Ubuntu	disco	*
Gcc-9-cross	Ubuntu	eoan	*
Gcc-9-cross	Ubuntu	groovy	*
Gcc-9-cross	Ubuntu	hirsute	*
Gcc-9-cross	Ubuntu	impish	*
Gcc-9-cross	Ubuntu	kinetic	*
Gcc-9-cross	Ubuntu	lunar	*
Gcc-9-cross	Ubuntu	mantic	*
Gcc-9-cross-ports	Ubuntu	disco	*
Gcc-9-cross-ports	Ubuntu	eoan	*
Gcc-9-cross-ports	Ubuntu	groovy	*
Gcc-9-cross-ports	Ubuntu	hirsute	*
Gcc-9-cross-ports	Ubuntu	impish	*
Gcc-9-cross-ports	Ubuntu	kinetic	*
Gcc-9-cross-ports	Ubuntu	lunar	*
Gcc-9-cross-ports	Ubuntu	mantic	*
Gcc-defaults	Ubuntu	bionic	*
Gcc-defaults	Ubuntu	disco	*
Gcc-defaults	Ubuntu	eoan	*
Gcc-defaults	Ubuntu	groovy	*
Gcc-defaults	Ubuntu	hirsute	*
Gcc-defaults	Ubuntu	impish	*
Gcc-defaults	Ubuntu	kinetic	*
Gcc-defaults	Ubuntu	lunar	*
Gcc-defaults	Ubuntu	mantic	*
Gcc-defaults	Ubuntu	precise/esm	*
Gcc-defaults	Ubuntu	trusty	*
Gcc-defaults	Ubuntu	xenial	*
Gcc-snapshot	Ubuntu	bionic	*
Gcc-snapshot	Ubuntu	disco	*
Gcc-snapshot	Ubuntu	eoan	*
Gcc-snapshot	Ubuntu	groovy	*
Gcc-snapshot	Ubuntu	hirsute	*
Gcc-snapshot	Ubuntu	impish	*
Gcc-snapshot	Ubuntu	kinetic	*
Gcc-snapshot	Ubuntu	lunar	*
Gcc-snapshot	Ubuntu	mantic	*
Gcc-snapshot	Ubuntu	xenial	*
Gccgo-6	Ubuntu	xenial	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/59.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-15847
CWE	https://cwe.mitre.org/data/definitions/331.html

Insufficient Entropy

Weakness

Affected Software

Potential Mitigations

References

CVE-2019-15847

Insufficient Entropy

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References