The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
CVE-2018-0737 - Medium Severity Vulnerability
Vulnerable Library - opensslOpenSSL_1_1_0g
Akamai fork of openssl master.
Library home page: https://github.com/akamai/openssl.git
Found in HEAD commit: 1fd1c91be1f09deb72b2b5349f8e936a378411b8
Found in base branch: master
Vulnerable Source Files (2)
/crypto/rsa/rsa_gen.c /crypto/rsa/rsa_gen.c
Vulnerability Details
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
Publish Date: 2018-04-16
URL: CVE-2018-0737
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737
Release Date: 2018-04-16
Fix Resolution: OpenSSL_1_1_0i,OpenSSL_1_0_2p
Step up your Open Source Security Game with Mend here