CVE-2018-0735

Severity

43%

Complexity

86%

Confidentiality

48%

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

CVSS 3.0 Base Score 5.9. CVSS Attack Vector: network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N).

Overview

First reported 6 years ago

2018-10-29 13:29:00

Last updated 5 years ago

2019-07-23 23:15:00

Affected Software

OpenSSL Project OpenSSL

OpenSSL Project OpenSSL 1.1.1

1.1.1

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Canonical Ubuntu Linux 18.04 LTS Edition

18.04

Canonical Ubuntu Linux 18.10

18.10

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

NetApp Element Software

NetApp OnCommand Unified Manager for vSphere

vsphere

Oracle API Gateway 11.1.2.4.0

11.1.2.4.0

Oracle Enterprise Manager Base Platform 12.1.0.5.0

12.1.0.5.0

Oracle Enterprise Manager Base Platform 13.2.0.0.0

13.2.0.0.0

Oracle Enterprise Manager Base Platform 13.3.0.0.0

13.3.0.0.0

Oracle Enterprise Manager Ops Center 12.3.3

12.3.3

Oracle MySQL -

Oracle PeopleSoft Enterprise PeopleTools 8.55

8.55

Oracle PeopleSoft Enterprise PeopleTools 8.56

8.56

Oracle PeopleSoft Enterprise PeopleTools 8.57

8.57

Oracle Primavera P6 Enterprise Project Portfolio Management

Oracle Primavera P6 Enterprise Project Portfolio Management 18.8

18.8

Oracle Secure Global Desktop 5.4

5.4

Oracle Tuxedo 12.1.1.0.0

12.1.1.0.0

References

105750

Third Party Advisory, VDB Entry

1041986

Third Party Advisory, VDB Entry

RHSA-2019:3700

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56fb454d281a023b3f950d969693553d3f3ceea1

Patch, Third Party Advisory

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4

Patch, Third Party Advisory

[debian-lts-announce] 20181121 [SECURITY] [DLA 1586-1] openssl security update

Mailing List, Third Party Advisory

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20181105-0002/

Third Party Advisory

USN-3840-1

Third Party Advisory

DSA-4348

Third Party Advisory

https://www.openssl.org/news/secadv/20181029.txt

Vendor Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Patch, Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Patch, Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.