CVE-2018-0735 — MEDIUM (5.9)

Q: How severe is CVE-2018-0735?

CVE-2018-0735 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-0735?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Canonical Ubuntu Linux, Debian Debian Linux, Nodejs Node.Js, Netapp Cn1610 Firmware.

Vulnerability Description

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Openssl	Openssl	>= 1.1.0, <= 1.1.0i
Canonical	Ubuntu Linux	14.04
Debian	Debian Linux	8.0
Nodejs	Node.Js	>= 10.0.0, < 10.12.0
Netapp	Cn1610 Firmware	-
Netapp	Cn1610	-
Netapp	Cloud Backup	-
Netapp	Element Software	-
Netapp	Oncommand Unified Manager	All versions
Netapp	Santricity Smi-S Provider	-
Netapp	Smi-S Provider	-
Netapp	Snapdrive	-
Netapp	Steelstore	-
Oracle	Api Gateway	11.1.2.4.0
Oracle	Application Server	0.9.8
Oracle	Enterprise Manager Base Platform	12.1.0.5.0
Oracle	Enterprise Manager Ops Center	12.3.3
Oracle	Mysql	<= 5.6.42
Oracle	Peoplesoft Enterprise Peopletools	8.55
Oracle	Primavera P6 Enterprise Project Portfolio Management	>= 17.7, <= 17.12

Related Weaknesses (CWE)

CWE-327

References

http://www.securityfocus.com/bid/105750Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041986Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:3700Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56fb454d281a023
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=b1d6d55ece1c26f
https://lists.debian.org/debian-lts-announce/2018/11/msg00024.htmlMailing ListThird Party Advisory
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/Third Party Advisory
https://security.netapp.com/advisory/ntap-20181105-0002/Third Party Advisory
https://usn.ubuntu.com/3840-1/Third Party Advisory
https://www.debian.org/security/2018/dsa-4348Third Party Advisory
https://www.openssl.org/news/secadv/20181029.txtVendor Advisory
https://www.oracle.com/security-alerts/cpujan2020.htmlThird Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatchThird Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlPatchThird Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlPatchThird Party Advisory

FAQ

What is CVE-2018-0735?

CVE-2018-0735 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in Op...

How severe is CVE-2018-0735?

CVE-2018-0735 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-0735?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Canonical Ubuntu Linux, Debian Debian Linux, Nodejs Node.Js, Netapp Cn1610 Firmware.