The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
CVE-2018-0735 - Medium Severity Vulnerability
Vulnerable Library - opensslOpenSSL_1_1_0g
Akamai fork of openssl master.
Library home page: https://github.com/akamai/openssl.git
Found in HEAD commit: 4c0cda99bc44e45f32ea15e98aeb0a895ad1dd56
Found in base branch: master
Vulnerable Source Files (2)
/crypto/ec/ec_mult.c /crypto/ec/ec_mult.c
Vulnerability Details
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.1.1a (Affected 1.1.1).
Publish Date: 2018-10-29
URL: CVE-2018-0735
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-0735
Release Date: 2018-10-29
Fix Resolution: openssl-libs - 1.1.1c-2,1.1.1c-2,1.0.2k-16,1.0.2k-16,1.0.2k-16,1.0.2k-16,1.0.2k-16,1.1.1c-2,1.0.2k-16,1.1.1c-2,1.1.1c-2;openssl-perl - 1.1.1c-2,1.1.1c-2,1.1.1c-2,1.0.2k-16,1.1.1c-2,1.0.2k-16,1.0.2k-16,1.0.2k-16;openssl - 1.0.2k-16,1.1.1c-2,1.1.1c-2,1.1.1c-2,1.0.2k-16,1.1.1c-2,1.0.2k-16,1.1.1c-2,1.0.2k-16,1.0.2k-16;openssl-static - 1.0.2k-16,1.0.2k-16,1.0.2k-16,1.0.2k-16,1.0.2k-16,1.0.2k-16;openssl-devel - 1.0.2k-16,1.1.1c-2,1.1.1c-2,1.0.2k-16,1.0.2k-16,1.1.1c-2,1.0.2k-16,1.1.1c-2,1.0.2k-16,1.1.1c-2,1.0.2k-16;openssl-debuginfo - 1.1.1c-2,1.0.2k-16,1.0.2k-16,1.1.1c-2;openssl-debugsource - 1.1.1c-2,1.1.1c-2;openssl-libs-debuginfo - 1.1.1c-2,1.1.1c-2
Step up your Open Source Security Game with Mend here