CVE-2018-0735 - Vulnerability Details

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Netapp	Cloud Backup Cn1610 Cn1610 Firmware Element Software Oncommand Unified Manager Santricity Smi-s Provider Smi-s Provider Snapdrive Steelstore
Nodejs	Node.js
Openssl	Openssl
Oracle	Api Gateway Application Server Enterprise Manager Base Platform Enterprise Manager Ops Center Mysql Peoplesoft Enterprise Peopletools Primavera P6 Enterprise Project Portfolio Management Secure Global Desktop Tuxedo Vm Virtualbox
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:openssl:openssl::::::::
	cpe:2.3:a:openssl:openssl:1.1.1:::::::*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:::::-:::*
	cpe:2.3:a:nodejs:node.js:10.13.0::::lts:::

Configuration 5 [-]

AND

cpe:2.3:o:netapp:cn1610_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:cn1610:-:*:*:*:*:*:*:*

Configuration 6 [-]

OR	cpe:2.3:a:netapp:cloud_backup:-:::::::*
	cpe:2.3:a:netapp:element_software:-:::::::*
	cpe:2.3:a:netapp:oncommand_unified_manager::::::::
	cpe:2.3:a:netapp:oncommand_unified_manager::::::vsphere::*
	cpe:2.3:a:netapp:santricity_smi-s_provider:-:::::::*
	cpe:2.3:a:netapp:smi-s_provider:-:::::::*
	cpe:2.3:a:netapp:snapdrive:-:::::unix::
	cpe:2.3:a:netapp:snapdrive:-:::::windows::
	cpe:2.3:a:netapp:steelstore:-:::::::*

Configuration 7 [-]

OR	cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:::::::*
	cpe:2.3:a:oracle:application_server:0.9.8:::::::*
	cpe:2.3:a:oracle:application_server:1.0.0:::::::*
	cpe:2.3:a:oracle:application_server:1.0.1:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0.0:::::::*
	cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:::::::*
	cpe:2.3:a:oracle:mysql::::::::
	cpe:2.3:a:oracle:mysql::::::::
	cpe:2.3:a:oracle:mysql::::::::
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:::::::*
	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management::::::::
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:8.4:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:::::::*
	cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:::::::*
	cpe:2.3:a:oracle:secure_global_desktop:5.4:::::::*
	cpe:2.3:a:oracle:tuxedo:12.1.1.0.0:::::::*
	cpe:2.3:a:oracle:vm_virtualbox::::::::
	cpe:2.3:a:oracle:vm_virtualbox::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7
openssl-1:1.0.2k-16.el7_6.1	cpe:/o:redhat:enterprise_linux:7	RHSA-2019:0483	2019-03-13T00:00:00Z
Red Hat Enterprise Linux 8
openssl-1:1.1.1c-2.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2019:3700	2019-11-05T00:00:00Z

References

Link	Providers
http://www.securityfocus.com/bid/105750
http://www.securitytracker.com/id/1041986
https://access.redhat.com/errata/RHSA-2019:3700
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023b3f950d969693553d3f3ceea1
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
https://lists.debian.org/debian-lts-announce/2018/11/msg00024.html
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
https://nvd.nist.gov/vuln/detail/CVE-2018-0735
https://security.netapp.com/advisory/ntap-20181105-0002/
https://usn.ubuntu.com/3840-1/
https://www.cve.org/CVERecord?id=CVE-2018-0735
https://www.debian.org/security/2018/dsa-4348
https://www.openssl.org/news/secadv/20181029.txt
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: openssl

Published: 2018-10-29T13:00:00Z

Updated: 2024-09-16T19:10:32.005Z

Reserved: 2017-11-30T00:00:00

Link: CVE-2018-0735

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-10-29T13:29:00.263

Modified: 2024-11-21T03:38:50.413

Link: CVE-2018-0735

Redhat

Severity : Low

Publid Date: 2018-10-25T00:00:00Z

Links: CVE-2018-0735 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object