CVE-2003-0147 — Openssl vulnerability

7 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

28.7%

top 3.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Openpkg Stunnel

Timeline

PublishedMar 31

Latest updateMay 3

Description

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶Debianopenssl/openssl< 0.9.7b-1+3

▶NVDopenssl/openssl11 versions+10

▶NVDopenpkg/openpkg1.1, 1.2+1

▶NVDstunnel/stunnel21 versions+20

🔴Vulnerability Details

GHSA

GHSA-4q57-g9fh-w67x: OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using↗2022-05-03

▶

OSV

CVE-2003-0147: OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using↗2003-03-31

▶

CVEList

CVE-2003-0147: OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using↗2003-03-18

▶

📋Vendor Advisories

Red Hat

security flaw↗2003-03-14

▶

Debian

CVE-2003-0147: openssl - OpenSSL does not use RSA blinding by default, which allows local and remote atta...↗2003

▶

💬Community

Bugzilla

CVE-2003-0147 security flaw↗2018-08-16

▶