CVE-2018-0735

CWE-327Broken Cryptographic AlgorithmCWE-38510 documents8 sources
Severity
5.9MEDIUM
EPSS
7.7%
top 8.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
15
Nodejs Node.jsOracle VM VirtualboxOpenssl Openssl+12 more
Timeline
PublishedOct 29
Latest updateMay 13

Description

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages17 packages

Debianopenssl< 1.1.1a-1+3
Ubuntuopenssl< 1.0.1f-1ubuntu2.27+2
Ubuntuopenssl1.0< 1.0.2n-1ubuntu5.2
NVDopenssl/openssl1.1.01.1.0i+1
CVEListV5openssl/opensslFixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i), Fixed in OpenSSL 1.1.1a (Affected 1.1.1)+1

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
GHSA-4fhm-44hf-3465: The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack2022-05-13
OSV
openssl, openssl1.0 vulnerabilities2018-12-06
CVEList
Timing attack against ECDSA signature generation2018-10-29
OSV
CVE-2018-0735: The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack2018-10-29

📋Vendor Advisories

3
Ubuntu
OpenSSL vulnerabilities2018-12-06
Red Hat
openssl: timing side channel attack in the ECDSA signature generation2018-10-25
Debian
CVE-2018-0735: openssl - The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timin...2018

💬Community

2
Bugzilla
CVE-2018-0735 openssl: timing side channel attack in the ECDSA signature generation2018-10-30
Bugzilla
CVE-2018-0735 openssl: timing side channel attack in ECDSA signature generation [fedora-all]2018-10-30