CVE-2011-1945 — Openssl vulnerability

CWE-3107 documents7 sources

Severity

2.6LOWNVD

EPSS

4.8%

top 10.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedMay 31

Latest updateMay 17

Description

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/openssl< openssl 1.0.0e-1 (bookworm)

▶Debianopenssl/openssl< 1.0.0e-1+3

▶NVDopenssl/openssl1.0.0d+56

🔴Vulnerability Details

GHSA

GHSA-r4rf-h58w-4p76: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1↗2022-05-17

▶

OSV

CVE-2011-1945: The elliptic curve cryptography (ECC) subsystem in OpenSSL 1↗2011-05-31

▶

📋Vendor Advisories

Ubuntu

OpenSSL vulnerabilities↗2012-02-09

▶

Red Hat

openssl: ECDSA private key leak through a remote timing attack↗2011-05-17

▶

Debian

CVE-2011-1945: openssl - The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, w...↗2011

▶

💬Community

Bugzilla

CVE-2011-1945 openssl: ECDSA private key leak through a remote timing attack↗2011-05-30

▶