CVE-2018-0733

Name
CVE-2018-0733
Description
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://www.openssl.org/news/secadv/20180327.txt
Patch https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f
Third Party Advisory http://www.securitytracker.com/id/1040576
Third Party Advisory http://www.securityfocus.com/bid/103517
Third Party Advisory https://security.netapp.com/advisory/ntap-20180330-0002/
CONFIRM https://www.tenable.com/security/tns-2018-04
CONFIRM https://www.tenable.com/security/tns-2018-07
CONFIRM https://www.tenable.com/security/tns-2018-06
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
GENTOO https://security.gentoo.org/glsa/201811-21
CONFIRM https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
MISC https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MISC https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* openssl >= 1.1.0 <= 1.1.0g

Vulnerable and fixed packages

Source package Branch Version Maintainer Status