CVE-2018-0737

MEDIUM
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).

References

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/103766

http://www.securitytracker.com/id/1040685

https://access.redhat.com/errata/RHSA-2018:3221

https://access.redhat.com/errata/RHSA-2018:3505

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787

https://lists.debian.org/debian-lts-announce/2018/07/msg00043.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/

https://lists.fedoraproject.org/archives/list/[email protected]/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

https://security.gentoo.org/glsa/201811-21

https://security.netapp.com/advisory/ntap-20180726-0003/

https://securityadvisories.paloaltonetworks.com/Home/Detail/133

https://usn.ubuntu.com/3628-1/

https://usn.ubuntu.com/3628-2/

https://usn.ubuntu.com/3692-1/

https://usn.ubuntu.com/3692-2/

https://www.debian.org/security/2018/dsa-4348

https://www.debian.org/security/2018/dsa-4355

https://www.openssl.org/news/secadv/20180416.txt

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.tenable.com/security/tns-2018-12

https://www.tenable.com/security/tns-2018-13

https://www.tenable.com/security/tns-2018-14

https://www.tenable.com/security/tns-2018-17

Details

Source: MITRE

Published: 2018-04-16

Updated: 2019-10-03

Type: CWE-327

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 2.2

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.0.2b to 1.0.2o (inclusive)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.1.0 to 1.1.0h (inclusive)

Configuration 2

OR

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*

Tenable Plugins

View all (68 total)

IDNameProductFamilySeverity
131216RHEL 7 : JBoss Core Services (RHSA-2019:3933) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering) (Resource Loop)NessusRed Hat Local Security Checks
high
131215RHEL 6 : JBoss Core Services (RHSA-2019:3932) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering) (Resource Loop)NessusRed Hat Local Security Checks
high
131184Oracle Enterprise Manager Ops Center (Jan 2019 CPU)NessusMisc.
critical
129653Fedora 31 : 1:compat-openssl10 (2019-db06efdea1)NessusFedora Local Security Checks
high
129368Fedora 29 : 1:compat-openssl10 (2019-9a0a7c0986)NessusFedora Local Security Checks
high
129319Fedora 30 : 1:compat-openssl10 (2019-00c25b9379)NessusFedora Local Security Checks
high
127975OracleVM 3.4 : openssl (OVMSA-2019-0040)NessusOracleVM Local Security Checks
medium
127262NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl Multiple Vulnerabilities (NS-SA-2019-0065)NessusNewStart CGSL Local Security Checks
medium
126270EulerOS 2.0 SP8 : compat-openssl10 (EulerOS-SA-2019-1643)NessusHuawei Local Security Checks
medium
126046SUSE SLES12 Security Update : openssl (SUSE-SU-2019:1553-1)NessusSuSE Local Security Checks
medium
124999EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1546)NessusHuawei Local Security Checks
high
124903EulerOS Virtualization for ARM 64 3.0.1.0 : openssl (EulerOS-SA-2019-1400)NessusHuawei Local Security Checks
medium
123887EulerOS Virtualization 2.5.4 : openssl (EulerOS-SA-2019-1201)NessusHuawei Local Security Checks
medium
123850EulerOS Virtualization 2.5.3 : openssl (EulerOS-SA-2019-1164)NessusHuawei Local Security Checks
medium
123512Palo Alto Networks PAN-OS 6.1.x <= 6.1.20 / 7.1.x < 7.1.21 / 8.0.x < 8.0.14 / 8.1.x < 8.1.4 Multiple Vulnerabilities (PAN-SA-2018-0015)NessusPalo Alto Local Security Checks
medium
123323openSUSE Security Update : openssl-1_0_0 (openSUSE-2019-753)NessusSuSE Local Security Checks
medium
122706EulerOS Virtualization 2.5.2 : openssl (EulerOS-SA-2019-1084)NessusHuawei Local Security Checks
medium
122088openSUSE Security Update : openssl-1_1 (openSUSE-2019-152)NessusSuSE Local Security Checks
medium
121975Photon OS 2.0: Openssl PHSA-2018-2.0-0078NessusPhotonOS Local Security Checks
medium
121848Photon OS 1.0: Openssl PHSA-2018-1.0-0149NessusPhotonOS Local Security Checks
critical
121467SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2019:0197-1)NessusSuSE Local Security Checks
medium
121252Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Jan 2019 CPU)NessusCGI abuses
medium
121225Oracle Enterprise Manager Cloud Control (January 2019 CPU)NessusMisc.
critical
121069Junos OS: OpenSSL Security Advisories [16 Apr 2018] and [12 June 2018] (JSA10919)NessusJunos Local Security Checks
medium
120997EulerOS 2.0 SP5 : openssl (EulerOS-SA-2019-1009)NessusHuawei Local Security Checks
medium
120424Fedora 28 : 1:openssl (2018-520e4c5b4e)NessusFedora Local Security Checks
medium
120198Tenable Nessus < 7.1.4 Multiple Vulnerabilities (TNS-2018-17)NessusMisc.
medium
120115SUSE SLES15 Security Update : openssl-1_0_0 (SUSE-SU-2018:2965-1)NessusSuSE Local Security Checks
medium
119909EulerOS 2.0 SP2 : openssl (EulerOS-SA-2018-1420)NessusHuawei Local Security Checks
medium
119792Debian DSA-4355-1 : openssl1.0 - security updateNessusDebian Local Security Checks
medium
119520EulerOS 2.0 SP3 : openssl (EulerOS-SA-2018-1392)NessusHuawei Local Security Checks
medium
119313Debian DSA-4348-1 : openssl - security updateNessusDebian Local Security Checks
medium
119275GLSA-201811-21 : OpenSSL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
119194Scientific Linux Security Update : openssl on SL7.x x86_64 (20181030)NessusScientific Linux Local Security Checks
medium
119116SUSE SLES12 Security Update : openssl (SUSE-SU-2018:3864-1)NessusSuSE Local Security Checks
medium
119074EulerOS Virtualization 2.5.1 : openssl (EulerOS-SA-2018-1383)NessusHuawei Local Security Checks
medium
118998CentOS 7 : openssl (CESA-2018:3221)NessusCentOS Local Security Checks
medium
118937Node.js Multiple Vulnerabilities (August 2018 Security Releases)NessusMisc.
high
118777Oracle Linux 7 : openssl (ELSA-2018-3221)NessusOracle Linux Local Security Checks
medium
118534RHEL 7 : openssl (RHSA-2018:3221)NessusRed Hat Local Security Checks
high
118399Tenable Log Correlation Engine (LCE) < 5.1.1 (TNS-2018-13)NessusMisc.
medium
118398Tenable Nessus < 8.0.0 Multiple Vulnerabilities (TNS-2018-14)NessusMisc.
medium
118296SUSE SLES12 Security Update : openssl (SUSE-SU-2018:2928-2)NessusSuSE Local Security Checks
medium
118106Oracle Linux 7 : openssl (ELSA-2018-4249)NessusOracle Linux Local Security Checks
high
118105Oracle Linux 6 : openssl (ELSA-2018-4248)NessusOracle Linux Local Security Checks
high
117977openSUSE Security Update : openssl-1_0_0 (openSUSE-2018-1110)NessusSuSE Local Security Checks
high
117891Fedora 27 : 1:openssl (2018-02a38af202)NessusFedora Local Security Checks
high
117858SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2018:2928-1)NessusSuSE Local Security Checks
medium
117857openSUSE Security Update : openssl (openSUSE-2018-1091)NessusSuSE Local Security Checks
medium
117749EulerOS 2.0 SP2 : openssl110f (EulerOS-SA-2018-1306)NessusHuawei Local Security Checks
high
117672Tenable SecurityCenter < 5.7.1 Multiple Vulnerabilities (TNS-2018-12)NessusMisc.
critical
117476openSUSE Security Update : compat-openssl098 (openSUSE-2018-997)NessusSuSE Local Security Checks
high
117450SUSE SLED12 / SLES12 Security Update : compat-openssl098 (SUSE-SU-2018:2683-1)NessusSuSE Local Security Checks
high
112145SUSE SLES12 Security Update : openssl (SUSE-SU-2018:2492-1)NessusSuSE Local Security Checks
medium
112120OpenSSL 1.1.0 < 1.1.0i Multiple VulnerabilitiesNessusWeb Servers
medium
112119OpenSSL 1.0.x < 1.0.2p Multiple VulnerabilitiesNessusWeb Servers
medium
112108SUSE SLES11 Security Update : openssl (SUSE-SU-2018:2486-1)NessusSuSE Local Security Checks
medium
111962Photon OS 2.0: Openssl PHSA-2018-2.0-0078 (deprecated)NessusPhotonOS Local Security Checks
medium
111737Slackware 14.2 / current : openssl (SSA:2018-226-01)NessusSlackware Local Security Checks
high
111390Debian DLA-1449-1 : openssl security updateNessusDebian Local Security Checks
high
111354AIX OpenSSL Advisory : openssl_advisory27.ascNessusAIX Local Security Checks
high
111275Photon OS 1.0 : openssl / libsoup (PhotonOS-PHSA-2018-1.0-0149) (deprecated)NessusPhotonOS Local Security Checks
critical
110878EulerOS 2.0 SP3 : openssl110f (EulerOS-SA-2018-1214)NessusHuawei Local Security Checks
high
110721Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : OpenSSL vulnerabilities (USN-3692-1)NessusUbuntu Local Security Checks
high
109364Amazon Linux 2 : openssl (ALAS-2018-1004)NessusAmazon Linux Local Security Checks
medium
109200Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : OpenSSL vulnerability (USN-3628-1)NessusUbuntu Local Security Checks
medium
109182Amazon Linux AMI : openssl (ALAS-2018-1000)NessusAmazon Linux Local Security Checks
medium
109066FreeBSD : OpenSSL -- Cache timing vulnerability (8f353420-4197-11e8-8777-b499baebfeaf)NessusFreeBSD Local Security Checks
medium