CVE-2018-0734

CWE-327 — Broken Cryptographic Algorithm CWE-38514 documents10 sources

Severity

5.9MEDIUM

EPSS

6.1%

top 9.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node.js Openssl Openssl Oracle Mysql Enterprise Backup +9 more

Timeline

PublishedOct 30

Latest updateMay 13

Description

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages14 packages

▶Debianopenssl< 1.1.1a-1+3

▶Ubuntuopenssl< 1.0.1f-1ubuntu2.27+2

▶Ubuntuopenssl1.0< 1.0.2n-1ubuntu5.2

▶NVDopenssl/openssl1.0.2 — 1.0.2p+2

▶CVEListV5openssl/opensslFixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p), Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i), Fixed in OpenSSL 1.1.1a (Affected 1.1.1)+2

Also affects: Debian Linux 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-93g8-hm6f-hrw3: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack↗2022-05-13

▶

OSV

openssl, openssl1.0 vulnerabilities↗2018-12-06

▶

OSV

CVE-2018-0734: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack↗2018-10-30

▶

CVEList

Timing attack against DSA↗2018-10-30

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Security (OpenSSL) — CVE-2018-0734↗2020-01-15

▶

Ubuntu

OpenSSL vulnerabilities↗2018-12-06

▶

Red Hat

openssl: timing side channel attack in the DSA signature algorithm↗2018-10-16

▶

Microsoft

Timing attack against DSA↗2018-10-09

▶

Debian

CVE-2018-0734: openssl - The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing ...↗2018

▶

💬Community

Bugzilla

CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm [fedora-all]↗2018-10-30

▶

Bugzilla

CVE-2018-0734 openssl: timing side channel attack in the DSA signature algorithm↗2018-10-30

▶

Bugzilla

CVE-2018-0734 mingw-openssl: openssl: timing side channel attack in the DSA signature algorithm [epel-7]↗2018-10-30

▶

Bugzilla

CVE-2018-0734 mingw-openssl: openssl: timing side channel attack in the DSA signature algorithm [fedora-all]↗2018-10-30

▶