CVE-2018-0735

MEDIUM

Description

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

References

http://www.securityfocus.com/bid/105750

http://www.securitytracker.com/id/1041986

https://access.redhat.com/errata/RHSA-2019:3700

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4

https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

https://security.netapp.com/advisory/ntap-20181105-0002/

https://usn.ubuntu.com/3840-1/

https://www.debian.org/security/2018/dsa-4348

https://www.openssl.org/news/secadv/20181029.txt

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Details

Source: MITRE

Published: 2018-10-29

Updated: 2020-08-24

Type: CWE-327

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 2.2

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.1.0 to 1.1.0i (inclusive)

cpe:2.3:a:openssl:openssl:1.1.1:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* versions from 10.13.0 to 10.14.1 (inclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:*:*:*:* versions from 11.0.0 to 11.4.0 (inclusive)

Configuration 5

AND

OR

cpe:2.3:o:netapp:cn1610_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:netapp:cn1610:-:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*

cpe:2.3:a:netapp:santricity_smi-s_provider:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:smi-s_provider:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:unix:*:*

cpe:2.3:a:netapp:snapdrive:-:*:*:*:*:windows:*:*

cpe:2.3:a:netapp:steelstore:-:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:application_server:0.9.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:application_server:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:application_server:1.0.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* versions up to 5.6.42 (inclusive)

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* versions from 5.7.0 to 5.7.24 (inclusive)

cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.0.13 (inclusive)

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*

cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:* versions from 17.7 to 17.12 (inclusive)

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*

cpe:2.3:a:oracle:secure_global_desktop:5.4:*:*:*:*:*:*:*

cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:vm_virtualbox:*:*:*:*:*:*:*:*

cpe:2.3:a:oracle:vm_virtualbox:*:*:*:*:*:*:*:*

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
145661CentOS 8 : openssl (CESA-2019:3700)NessusCentOS Local Security Checks
medium
137471EulerOS 2.0 SP2 : openssl110f (EulerOS-SA-2020-1629)NessusHuawei Local Security Checks
medium
132467NewStart CGSL CORE 5.05 / MAIN 5.05 : openssl Multiple Vulnerabilities (NS-SA-2019-0254)NessusNewStart CGSL Local Security Checks
medium
130567RHEL 8 : openssl (RHSA-2019:3700)NessusRed Hat Local Security Checks
medium
129941NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl Multiple Vulnerabilities (NS-SA-2019-0206)NessusNewStart CGSL Local Security Checks
medium
129175EulerOS 2.0 SP5 : openssl110h (EulerOS-SA-2019-1981)NessusHuawei Local Security Checks
medium
125147Oracle Enterprise Manager Ops Center (Apr 2019 CPU)NessusMisc.
high
124171Oracle Tuxedo Multiple Vulnerabilities (Apr 2019 CPU)NessusMisc.
medium
124169Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Apr 2019 CPU)NessusCGI abuses
high
124157Oracle Enterprise Manager Cloud Control (Apr 2019 CPU)NessusMisc.
medium
123386openSUSE Security Update : openssl-1_1 (openSUSE-2019-956)NessusSuSE Local Security Checks
medium
121899Photon OS 1.0: Openssl PHSA-2018-1.0-0199NessusPhotonOS Local Security Checks
medium
121385OpenSSL 1.1.1 < 1.1.1a Multiple VulnerabilitiesNessusWeb Servers
medium
121384OpenSSL 1.1.0 < 1.1.0j Multiple VulnerabilitiesNessusWeb Servers
medium
121247Oracle VM VirtualBox 5.2.x < 5.2.24 / 6.0.x < 6.0.2 (Jan 2019 CPU)NessusMisc.
medium
121239Fedora 29 : 1:openssl (2019-a8ffcff7ee)NessusFedora Local Security Checks
medium
120166SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2018:3863-1)NessusSuSE Local Security Checks
medium
119938Node.js Multiple Vulnerabilities (November 2018 Security Releases)NessusMisc.
medium
119511FreeBSD : node.js -- multiple vulnerabilities (2a86f45a-fc3c-11e8-a414-00155d006b02)NessusFreeBSD Local Security Checks
medium
119497Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : openssl, openssl1.0 vulnerabilities (USN-3840-1)NessusUbuntu Local Security Checks
medium
119313Debian DSA-4348-1 : openssl - security updateNessusDebian Local Security Checks
medium
119299SUSE SLED12 / SLES12 Security Update : openssl-1_1 (SUSE-SU-2018:3945-1)NessusSuSE Local Security Checks
medium
119140openSUSE Security Update : openssl-1_1 (openSUSE-2018-1465)NessusSuSE Local Security Checks
medium
119103Debian DLA-1586-1 : openssl security updateNessusDebian Local Security Checks
medium
118496FreeBSD : OpenSSL -- Multiple vulnerabilities in 1.1 branch (238ae7de-dba2-11e8-b713-b499baebfeaf)NessusFreeBSD Local Security Checks
medium